SaaS ERP and Security: What You Need To Know
In 2018, the SaaS ERP has reached its highest point. According to the 2018 ERP Software Report of Panorama Consulting Solutions, the adoption of SaaS within companies has risen to 64%, against 27% last year! This rapid growth shows that companies are more and more ready to trust SaaS solutions, despite the mistrust most of them showed one year ago.
Data security appears to be the main factor for this change. Until now, security has been one of the biggest obstacles to adopting ERP software online. But today, the perception of companies on this point has completely changed, and we explain why.
Security: the ultimate barrier to adoption of SaaS
If companies have been slow to adopt the SaaS model, it is primarily for security reasons. The same PCS report on ERP in 2017 showed that among companies still reluctant to adopt cloud-based ERP, 72% feared a data loss and 12% a security breach of their data. Legitimate fears given the current environment: the recent discovery of the Google + security breach is an example that might discourage companies that were even considering adopting a Cloud-based model.
In October 2018, Google timidly announced to have discovered in March a security breach written in the development code of Google+, its social network created in 2011! The vulnerability would have affected nearly 500,000 Google+ accounts in two weeks, exposing their personal data to applications using the Google+ API. The fact that Google waited to have fixed the flaw to communicate on it, but also the fact that the flaw remained online for 3 years without the web giant realizing it, have created a global scandal.
Besides, many studies have pointed out that when it comes to SaaS model, companies are taking longer to adopt online management solutions such as ERP software or accounting software, than productivity or monitoring software. An evidence of mistrust of ERP solutions in SaaS, which administer sensitive data, including financial data.. Companies have long been reluctant to expose themselves to the risk of leaks for this type of data. Opting for an ERP in SaaS mode involves giving the “control” of its data to a supplier. ERP solutions handle a large number of so-called “sensitive” data, in the GDPR sense of the term: personal identification information, billing data, supplier data, customer data, etc. Exiting this information from the control field of the company to store it on the Cloud inevitably causes reluctance!
Another significant fear of ERP users is that the multi-tenant architecture, often used by SaaS software vendors, increases the possibilities of cyberattacks due to the proximity of the data of the different user companies.
Security has become the number one priority for software publishers
But then, how to explain such an increase in the adoption of ERP solutions in SaaS? This can be explained by the change in perception of companies regarding this key point: data security.
For starters, a large number of companies lack the human, material and financial resources needed to implement the necessary security measures. To effectively protect against cyberattacks, there are a number of processes: VPN, IDS, dual authentication, cryptography, antispam filtering, and even cyber insurance. But each tool has a cost, human and financial, which far exceeds what an average company can reasonably invest. For example, it is not uncommon for the simple installation of a safety sensor to reach $120,000! Therefore, the fact that the SaaS ERP publisher takes full charge of cyber security costs has been a boon for a large number of companies.
Security has become the number one priority for SaaS ERP publishers and as a direct result, the security market is doing well: + 8% growth for cyber security in 2018 according to Gartner. Publishers are well aware of the risks of storing data in the Cloud and do not skimp on investments. Flexible and scalable, SaaS ERP in particular can quickly integrate all the latest technologies in terms of data protection: TLS encryption protocol for example or Intrusion Detection PSAD. Given these efforts, online ERP solutions are now poorly exposed to certain types of threats (malware and robot networks, for example), unlike “installed” ERP.
The minimum security measures to expect from a SaaS ERP
SaaS ERP deploy a large number of measures to ensure the safety of users. Here is a list of the basic procedures that must be in place:
- An encoded and secure user authentication protocol: many publishers rely for example on the Lightweight Directory Access Protocol (LDAP), which will access databases of information on network users based on a directory system;
- Securing backups: For example, the SaaS Application Backup service Spanning provides unlimited backup of Google Apps and Salesforce data for $ 40 and $ 48 per user per year, respectively;
- A security protocol to protect customer data in transit at the time of connection to the service, such as Secure Socket Layer (SSL) and Secure Shell (SSH);
- A firewall, which will filter the exchange of data between the user’s computer and the Internet, thus defining what types of communications are allowed on the network. The most widespread firewall to date remains IPTABLES;
- Tools for detecting and blocking cyber attacks, which will continuously scan threats, intrusions and suspicious behavior in real time. The Failban tool, for example, will ban IP addresses after a certain number of failed requests. Snort’s Network Intrusion Detection (NIDS), available in open source, is also widely used by Windows or Linux users to detect intrusion attempts and react quickly.
For their part, users are encouraged to use a unique, high security password (more than 12 characters, including numbers and special characters), and to change it regularly.
What are the real security risks of a SaaS ERP?
Considering all these measures deployed by ERP software publishers online, one can wonder if the risk of a security breach remains? Unfortunately, there are still risks, even if the security measures are solid.
The most delicate point is authentication. Regardless of the measures put in place, the risk of unwanted third-party access still remains, and even though most SaaS ERP solutions are able to block suspicious login attempts, a small fraction manages to fall through the cracks. The intrusion can also come from elsewhere: SaaS ERP software can interface the solution with many third-party applications thanks to the APIs,and it only needs a security vulnerability in these applications to affect the SaaS software. Let’s go back to our initial example: it’s via the Google+ API that data from more than 500,000 Google+ accounts could be exposed to third-party apps!
A weak password also puts the company at risk. If the user chooses a password already used to access his account on the ERP, and his login credentials are recovered by other means, then the data contained in the ERP are exposed.
How to know if a SaaS ERP is well secured?
First, remember that in the context of a SaaS service, it is the service provider who is responsible for the security of the software: in general, the service provider responsible for hosting offers a large part of the necessary protection measures at the same time as accommodation.
In any case, it is essential to ask the software publisher the right questions during the selection and study phase of online ERP tools.
The first questions to ask relate to the use of your data: How long will your data be kept? Does the publisher provide secure data backups?
In Europe, any SaaS provider must comply with the GDPR, which became effective on May 25, 2018, and must therefore guarantee the protection of the personal data of each user, in particular by encrypting the data. SaaS providers must also respect users’ rights: the right of access, the right to obtain a portable copy of the stored data, the right to erasure, and the right to revoke consent to data processing at any time. Thus, a secure SaaS ERP must allow you to exercise your fundamental rights to your data as set out in the General Data Protection Regulation (GDPR): you must have the right to request an export of your data at any time and in a readable format, as well as to request their final deletion.
On the other hand, the client company also has a role to play in the security of the data processed by its ERP solution. In particular, it must carefully read the SaaS agreement and the proposed data protection policy to ensure that the security measures offered by the ERP publisher cover its needs. It must also control the access levels of each user to sensitive data (billing, personal data of employees, customer contacts and suppliers, etc.). The SaaS distribution model eventually relies on a shared responsibility between the provider and the user for the protection of personal data.
It is also essential to learn about what is expected in case of failure, disaster, or other problem: what are the users notification conditions? What is the processing time for technical problems? What are the maximum network interruptions per month? This information is mostly included in the SLA (Service-Level Agreement). In addition, SaaS ERP publishers generally commit to a certain service availability rate: the closer it is to 100%, the less likely the system will fail!
SaaS ERP publishers are aware of the potential risks of Cloud Computing and have made it their number one priority. So in 2019, get ready to hear the editors reassure you: “your data is much more secure in the Cloud than on your own server”!