Enterprise Resource Planning

Latest ResearchJoin Group
Critical Controls Implementation for Oracle E-Business Suite
Critical Controls Implementation for Oracle E-Business Suite


Peer Review: Critical Controls Implementation for Salesforce
Enterprise Resource Planning
The move to cloud has at least three advantages when running Enterprise Resource Planning (ERP) applications: faster time to value, increased innovation, and scalability with growth. However, the move to the cloud is still very complex for organizations migrating from on-premise systems. According to a survey from CSA, 64% of organizations were planning or in the middle of an ERP cloud migration project, while 87% percent of organizations were considering ERP solutions plan to use cloud solutions. 

Every Enterprise Resource Planning (ERP) deployment is something that is unique to each organization. In most cases organizations spend months if not years customizing their SAP or Oracle implementations and also spend a significant amount of money with third party contractors to get the implementations done. This makes standard security measures more difficult to implement due to the differences of each deployment. With the complexity of these large implementations, combined with the criticality of data and processes housed in these applications, it is imperative that industry best practices be established to provide companies with security guidelines when migrating to the cloud in order to protect the organization’s critical infrastructure.

There is a need for guidance that addresses specific technologies.
The ERP working group understands that security configurations and vulnerabilities for cloud ERP applications can be difficult to navigate as there is currently no framework that aligns with standard controls. Furthermore, ERP applications are so complex and diverse that for any guidance document to be truly useful, from an implementation perspective, there is a need to address specific technologies. The Critical Controls Implementation for SAP is the first document in a series of implementation documents the ERP working group hopes to develop that focuses on specific ERP technologies. 

Enterprise Resource PlanningCloud Key ManagementSecurity as a ServiceSoftware Defined Perimeter

The Enterprise Resource Planning (ERP) working group seeks to develop best practices to enable organizations that run their business on large ERP implementations, such as SAP or Oracle applications, to securely migrate to and operate in cloud environments.

Next Meeting

Dec 01, 2021, 09:00AM PST
Join the Meeting

Working Group Leadership

Charlie Singh Headshot
Charlie Singh
Charlie Singh

This person does not have a biography listed with CSA.

Juan-Pablo Perez-Etchegoyen Headshot
Juan-Pablo Perez-Etchegoyen
Juan-Pablo Perez-Etchegoyen

Juan-Pablo Perez-Etchegoyen is the chief technology officer of Onapsis, where he leads the innovation team to ensure the company stays on the cutting edge of the business-critical application security market. He serves as co-chair of the CSA Enterprise Resource Planning (ERP) working group, where he leads the development of multiple documents and surveys to help organizations secure their ERP applications while migrating to the ...

Read more

Join this working group

Security for Enterprise Resource Planning

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.



SAP security documentation can be difficult to navigate and there are currently no frameworks that aligns with standard controls. This document aims to alleviate that problem by describing the implementation of the Top 20 Critical Controls for Cloud ERP Customer from a technology specific perspective, in this case SAP. SAP customers are extensively migrating to the cloud and will benefit from this document the most.

Top 20 Critical Controls for Cloud ERP Customers

Top 20 Critical Controls for Cloud ERP Customers

Most organizations are migrating business-critical applications to a hybrid architecture of ERP applications. To assist in this process, this paper assesses and prioritizes the most critical controls organizations need to consider when transitioning their business-critical applications to cloud environments. The document also contains an overview of cloud ERP security, control details and associated threats and risks. The 20 controls provided are grouped into domains for ease of consumption, that align with the existing CSA Cloud Control Matrix (CCM) v3 structure of controls and domains. Application controls include: completeness and validity checks, identification, authentication, authorization, input, and forensic controls.

Critical Controls for Oracle EBS

Critical Controls for Oracle EBS

Oracle E-Business Suite (EBS) clients should address cloud migration as much more than a data center migration project. Cloud migration is a significant opportunity to “start over” regarding security by using best practices, tools, services, and techniques unique to the cloud. Moving an EBS implementation to the cloud can significantly strengthen an organization’s security posture. However, deploying EBS in the cloud can also bring severe risks if not done right. This paper outlines 20 critical controls that will help an organization determine what security changes are needed when deploying Oracle EBS in the cloud.

Blog Posts

Critical Controls for Oracle E-Business Suite
Why Is Cybersecurity Critical in Protecting Infrastructure?
Using CSA’s Implementation Guide for SAP to securely migrate and operate ERP applications in the cloud.

Press Coverage

Article TitleSourceDate
14 controls for securing SAP systems in the cloudCSO OnlineOctober 29, 2020
You've migrated to the cloud, now what?CIO UKOctober 11, 2021