Every Enterprise Resource Planning (ERP) deployment is something that is unique to each organization. In most cases organizations spend months if not years customizing their SAP or Oracle implementations and also spend a significant amount of money with third party contractors to get the implementations done. This makes standard security measures more difficult to implement due to the differences of each deployment. With the complexity of these large implementations, combined with the criticality of data and processes housed in these applications, it is imperative that industry best practices be established to provide companies with security guidelines when migrating to the cloud in order to protect the organization’s critical infrastructure.
There is a need for guidance that addresses specific technologies.
The ERP working group understands that security configurations and vulnerabilities for cloud ERP applications can be difficult to navigate as there is currently no framework that aligns with standard controls. Furthermore, ERP applications are so complex and diverse that for any guidance document to be truly useful, from an implementation perspective, there is a need to address specific technologies. The Critical Controls Implementation for SAP is the first document in a series of implementation documents the ERP working group hopes to develop that focuses on specific ERP technologies.
The Enterprise Resource Planning (ERP) working group seeks to develop best practices to enable organizations that run their business on large ERP implementations, such as SAP or Oracle applications, to securely migrate to and operate in cloud environments.
Dec 01, 2021, 09:00AM PST
Join the Meeting
Working Group Leadership
This person does not have a biography listed with CSA.
Juan-Pablo Perez-Etchegoyen is the chief technology officer of Onapsis, where he leads the innovation team to ensure the company stays on the cutting edge of the business-critical application security market. He serves as co-chair of the CSA Enterprise Resource Planning (ERP) working group, where he leads the development of multiple documents and surveys to help organizations secure their ERP applications while migrating to the ...
Security for Enterprise Resource Planning
CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.
SAP security documentation can be difficult to navigate and there are currently no frameworks that aligns with standard controls. This document aims to alleviate that problem by describing the implementation of the Top 20 Critical Controls for Cloud ERP Customer from a technology specific perspective, in this case SAP. SAP customers are extensively migrating to the cloud and will benefit from this document the most.
Top 20 Critical Controls for Cloud ERP Customers
Most organizations are migrating business-critical applications to a hybrid architecture of ERP applications. To assist in this process, this paper assesses and prioritizes the most critical controls organizations need to consider when transitioning their business-critical applications to cloud environments. The document also contains an overview of cloud ERP security, control details and associated threats and risks. The 20 controls provided are grouped into domains for ease of consumption, that align with the existing CSA Cloud Control Matrix (CCM) v3 structure of controls and domains. Application controls include: completeness and validity checks, identification, authentication, authorization, input, and forensic controls.
Critical Controls for Oracle EBS
Oracle E-Business Suite (EBS) clients should address cloud migration as much more than a data center migration project. Cloud migration is a significant opportunity to “start over” regarding security by using best practices, tools, services, and techniques unique to the cloud. Moving an EBS implementation to the cloud can significantly strengthen an organization’s security posture. However, deploying EBS in the cloud can also bring severe risks if not done right. This paper outlines 20 critical controls that will help an organization determine what security changes are needed when deploying Oracle EBS in the cloud.