Balancing cloud ERP security and business operations: Continuous updates are not a panacea.

Cloud adoption has certainly increased in recent years as migration of people, systems and data has become easier, costs have decreased and security concerns have eased. The shift from on-premises ERP systems to cloud ERP systems has brought many benefits to businesses, from reduced administrative burdens to lower capital expenditures. But cloud still has CIOs grappling with questions about the system and operational security. CIOs need a way to avoid the risk of version delay and not fall into the trap of risking operational security from an untested update failure.

The pros and cons of cloud erp . weigh

A well-configured cloud deployment offers significant cost, efficiency, and end-user benefits over more “traditional” on-premises deployments, but no system is completely immune to disruption. The ‘evergreen’ approach to continuous updates provides a reliable, regular flow of security patches, bug fixes and incremental improvements – but its nature presents challenges to IT departments and is certainly not an ERP solution.

Compared to the previous long-term on-premise ERP strategy, which can only be described as ‘find a version that works for you and then stay on it as long as possible’, the Software-as-a-Service ( SaaS) cloud model has proven to be a superior alternative.

Gone is the in-house management burden of quick fixes, patchwork integrations, and hasty responses to emerging vulnerabilities—an approach that often detracted from other business-critical IT tasks. By choosing an ERP system hosted in the Azure cloud, for example, companies can take advantage of thousands of dedicated employees with 24×7 availability on the supplier side, with even more specialized teams focused on ensuring the cybersecurity of their SaaS solutions. The scale is simply incomparable.

For example, we recently implemented a cloud-based Microsoft Dynamics 365 Business Central solution for Alzheimer’s Research UK charity, with improved reporting, remote access and enhanced security that are all part of the key benefits of shifting to cloud ERP. With a single solution, the charity was able to replace outdated financial software with limited remote availability and minimal data reporting features, and introduce an advanced, cloud-based alternative instead.

Skip the version lag – and vulnerabilities – with an evergreen approach to updates

Microsoft’s evergreen approach to keeping ERP systems up to date, with patches applied automatically on a regular basis, is a major shift from previous approaches to updates from many IT departments. Once implemented and modified to be fully functional, many companies avoid “shaking the boat” with updates or patches – often leading to a significantly outdated version.

The evergreen approach takes the update burden off the business and ensures that a cloud ERP system like Dynamics 365 always runs on a supported and patched version, eliminating end-of-life concerns. This ensures that companies do not use versions with limited functionality or known security vulnerabilities.

A test challenge: outdated systems or operational failure?

While this faster, predictable update cycle sharpens systems from a cybersecurity perspective, the highly integrated, adaptable nature of today’s cloud ERP systems can also be seen as a double-edged sword in terms of operational “security.” Of course, ERP vendors can’t test these updates for every individual business environment – many of which use highly customized or extensively integrated ERP systems – so there is a low risk of operational disruption to a critical system. If an update goes through, the problems don’t stop there, as many companies don’t have the time or resources to analyze all the release notes an ERP vendor produces. These notes contain details of the updates and it is up to the company to take this responsibility internally to see how a rollout would affect their system in terms of downtime and user interruption.

To ensure business continuity and avoid unexpected threats to day-to-day operations, support from a managed service provider and update patch testing on critical processes prior to deployment is vital – a task increasingly automated to the manual load. Take the case of United Oilseeds, a long-standing Columbus customer that has grown into one of the UK’s most successful farmers’ cooperatives. Due to issues with a previous third-party infrastructure managed service, United Oilseeds contacted Columbus to unify their application and infrastructure managed services. After an Azure migration project to modernize and future-proof

their ERP system, United Oilseeds began to see the benefits of a complete managed services package. The company has managed to eliminate back and forth between separate providers, and the more proactive approach results in less downtime from a single point of contact for their managed services. The newer, more up-to-date infrastructure also allows them to maximize the ROI of their ERP system.

Support the most important human element – application security is key

Unfortunately, the end user is often the weak link when mission-critical systems are compromised. Witness the major 2021 ransomware attack on the Irish public health system, which was caused by an unsuspecting user opening a single infected document received via email. The Covid-induced massive shift to remote working — which also made cloud deployments a much more attractive prospect due to their cost-effective capabilities and accessibility — has also increased the attack vector for cybercriminals, as many vulnerable personal devices with typically poorer security were connected to corporate networks. End-user training in online safety and cybersecurity best practices has never been more important – and for ERP systems, application security will play a critical role as well.

But by taking a granular approach to security, IT departments can provide peace of mind if a user account is compromised without impacting users’ access to critical systems and data. Properly configured, this includes detailed user types with different privileges, audit trails, and additional traceability measures such as automated checks. And with a cloud deployment, a single end-user account or device that gets infected won’t lead to catastrophic failures. Take a malware attack on a manufacturing company with operations that run around the clock. A compromised on-premise ERP system linked to the factory floor and other back-end systems will require a complete shutdown to prevent further spread and damage, impacting operations, production output and ultimately bottom line. This will not be the case with a SaaS implementation, where a client on one device is compromised.

Cloud addresses one cause for concern, but be careful with updates

There are obvious security risks associated with the traditional approach of finding an on-premise ERP implementation that works and then touching the infrastructure as little as possible – something that can be left

organizations running on highly outdated, vulnerable, or unsupported versions. But the rush to embrace an ‘evergreen’ approach to updates must also be taken with an understanding of the security implications – the cloud doesn’t solve all problems and operational security remains the company’s responsibility.

IT departments will need to adopt a broad definition of “security” that includes both protection against external threats and business continuity through ongoing critical operations. To ensure long-term cloud ERP success, they must ensure that their cloud deployment is configured correctly, application-level security is fit for purpose, and updates are rigorously tested to ensure maximum compatibility.

By Chris Clifford, Technical Solution Architect, Columbus UK.

Get in Touch

Related Articles

Get in Touch


Latest Posts