Research Topic

Enterprise Resource Planning

Latest ResearchWorking Group
Critical Controls Implementation for Oracle E-Business Suite
Critical Controls Implementation for Oracle E-Business Suite


Enterprise Resource Planning
The move to cloud has at least three advantages when running Enterprise Resource Planning (ERP) applications: faster time to value, increased innovation, and scalability with growth. However, the move to the cloud is still very complex for organizations migrating from on-premise systems. According to a survey from CSA, 64% of organizations were planning or in the middle of an ERP cloud migration project, while 87% percent of organizations were considering ERP solutions plan to use cloud solutions. 

Every Enterprise Resource Planning (ERP) deployment is something that is unique to each organization. In most cases organizations spend months if not years customizing their SAP or Oracle implementations and also spend a significant amount of money with third party contractors to get the implementations done. This makes standard security measures more difficult to implement due to the differences of each deployment. With the complexity of these large implementations, combined with the criticality of data and processes housed in these applications, it is imperative that industry best practices be established to provide companies with security guidelines when migrating to the cloud in order to protect the organization’s critical infrastructure.

There is a need for guidance that addresses specific technologies. 
Security configurations and vulnerabilities for cloud ERP applications can be difficult to navigate as there is currently no framework that aligns with standard controls. Furthermore, ERP applications are so complex and diverse that for any guidance document to be truly useful, from an implementation perspective, there is a need to address specific technologies. To fill this gap, the ERP working group has developed a series of implementation documents that focus on specific ERP technologies including guidelines for: SAP, Salesforce, and Oracle E-Business Suite.

Enterprise Resource PlanningCloud Key ManagementSecurity as a ServiceSoftware Defined Perimeter

Discuss this topic in Circle

Have an interesting article or video on this topic that you want to share? Anyone can join the discussion community for this topic to share ideas or ask questions.

View discussion community

Participate in Enterprise Resource Planning Research

The Enterprise Resource Planning (ERP) working group seeks to develop best practices to enable organizations that run their business on large ERP implementations, such as SAP or Oracle applications, to securely migrate to and operate in cloud environments.

View the working group

View all

Security for Enterprise Resource Planning

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.



SAP security documentation can be difficult to navigate and there are currently no frameworks that aligns with standard controls. This document aims to alleviate that problem by describing the implementation of the Top 20 Critical Controls for Cloud ERP Customer from a technology specific perspective, in this case SAP. SAP customers are extensively migrating to the cloud and will benefit from this document the most.

Top 20 Critical Controls for Cloud ERP Customers

Top 20 Critical Controls for Cloud ERP Customers

Most organizations are migrating business-critical applications to a hybrid architecture of ERP applications. To assist in this process, this paper assesses and prioritizes the most critical controls organizations need to consider when transitioning their business-critical applications to cloud environments. The document also contains an overview of cloud ERP security, control details and associated threats and risks. The 20 controls provided are grouped into domains for ease of consumption, that align with the existing CSA Cloud Control Matrix (CCM) v3 structure of controls and domains. Application controls include: completeness and validity checks, identification, authentication, authorization, input, and forensic controls.

Critical Controls for Oracle EBS

Critical Controls for Oracle EBS

Oracle E-Business Suite (EBS) clients should address cloud migration as much more than a data center migration project. Cloud migration is a significant opportunity to “start over” regarding security by using best practices, tools, services, and techniques unique to the cloud. Moving an EBS implementation to the cloud can significantly strengthen an organization’s security posture. However, deploying EBS in the cloud can also bring severe risks if not done right. This paper outlines 20 critical controls that will help an organization determine what security changes are needed when deploying Oracle EBS in the cloud.


SaaS Security Best Practices
SaaS Security Best Practices

October 6 | Online

Learn more

Sponsored CSA Research Survey - Trends in Securing Sensitive Data with Privacy Enhancing Technologies
Sponsored CSA Research Survey - Trends in Securing Sensitive...

October 5 | Online

Learn more

How Good is Your Organization’s Cloud and Kubernetes Security Posture?
How Good is Your Organization’s Cloud and Kubernetes Securit...

September 21 | Online

Learn more

SASE: Transformación de seguridad para una transformación digital
SASE: Transformación de seguridad para una transformación di...

July 14 | online

Learn more

Blog Posts

SAP S/4HANA: 5 Ways to Build In Security From the Start
Overview of Critical Controls for Oracle Cloud Applications
Leveraging CSA to React to Critical Risks