Enterprise Resource Planning

Latest ResearchJoin Group
Critical Controls Implementation for SAP
Critical Controls Implementation for SAP


Join this working group
Enterprise Resource Planning
The move to cloud has at least three advantages when running Enterprise Resource Planning (ERP) applications: faster time to value, increased innovation, and scalability with growth. However, the move to the cloud is still very complex for organizations migrating from on-premise systems. According to a survey from CSA, 64% of organizations were planning or in the middle of an ERP cloud migration project, while 87% percent of organizations were considering ERP solutions plan to use cloud solutions. 

Every Enterprise Resource Planning (ERP) deployment is something that is unique to each organization. In most cases organizations spend months if not years customizing their SAP or Oracle implementations and also spend a significant amount of money with third party contractors to get the implementations done. This makes standard security measures more difficult to implement due to the differences of each deployment. With the complexity of these large implementations, combined with the criticality of data and processes housed in these applications, it is imperative that industry best practices be established to provide companies with security guidelines when migrating to the cloud in order to protect the organization’s critical infrastructure.

There is a need for guidance that addresses specific technologies.
The ERP working group understands that security configurations and vulnerabilities for cloud ERP applications can be difficult to navigate as there is currently no framework that aligns with standard controls. Furthermore, ERP applications are so complex and diverse that for any guidance document to be truly useful, from an implementation perspective, there is a need to address specific technologies. The Critical Controls Implementation for SAP is the first document in a series of implementation documents the ERP working group hopes to develop that focuses on specific ERP technologies. 

Enterprise Resource PlanningSecurity as a ServiceCloud Key ManagementSoftware Defined Perimeter

The Enterprise Resource Planning (ERP) working group seeks to develop best practices to enable organizations that run their business on large ERP implementations, such as SAP or Oracle applications, to securely migrate to and operate in cloud environments.

Next Meeting

Apr 21, 2021, 09:00AM PDT
Join the Meeting

Working Group Leadership

Charlie Singh Headshot

Charlie Singh

Juan Pablo Perez-Etchegoyen Headshot

Juan Pablo Perez-Etchegoyen

Join this working group

Security for Enterprise Resource Planning

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.



SAP security documentation can be difficult to navigate and there are currently no frameworks that aligns with standard controls. This document aims to alleviate that problem by describing the implementation of the Top 20 Critical Controls for Cloud ERP Customer from a technology specific perspective, in this case SAP. SAP customers are extensively migrating to the cloud and will benefit from this document the most.

Top 20 Critical Controls for Cloud ERP Customers

Top 20 Critical Controls for Cloud ERP Customers

Most organizations are migrating business-critical applications to a hybrid architecture of ERP applications. To assist in this process, this paper assesses and prioritizes the most critical controls organizations need to consider when transitioning their business-critical applications to cloud environments. The document also contains an overview of cloud ERP security, control details and associated threats and risks. The 20 controls provided are grouped into domains for ease of consumption, that align with the existing CSA Cloud Control Matrix (CCM) v3 structure of controls and domains. Application controls include: completeness and validity checks, identification, authentication, authorization, input, and forensic controls.

Enterprise Resource Planning and Cloud Adoption

Enterprise Resource Planning and Cloud Adoption

The “Impact of Cloud on ERP” survey report was designed to assess the impact of ERP solutions on organizations and better understand cloud preparation and data migration needs to implement ERP solutions in the cloud. Features and benefits gained, security and privacy challenges, and time to deploy for an ERP Solution in a cloud environment were explored.

Blog Posts

Using CSA’s Implementation Guide for SAP to securely migrate and operate ERP applications in the cloud.
RECON (CVE-2020-6287) and its impact on Cloud Applications
It's Time for Security Leadership to Embrace the Cloud-First Future

Press Coverage

Article TitleSourceDate
14 controls for securing SAP systems in the cloudCSO OnlineOctober 29, 2020