Security and data protection have always been a concern with SaaS and, if anything, those worries intensify as more business-critical apps head for the cloud.
That's certainly the case for manufacturing companies replacing their enterprise resource planning (ERP) systems. Panorama Consulting Solutions’ 2013 ERP Report found that the majority of the 172 companies it surveyed -- 61 percent -- have implemented or are in the process of deploying on-premises ERP. The company reported that 26 percent of the respondents selected SaaS and cloud ERP.
"Although the market for cloud usage is growing, its adoption rate continues to suffer from the perception that it is a risky endeavor," the report stated.
Panorama, a Denver company that focuses on the ERP market for midsized and large organizations, asked respondents about their reluctance to adopt cloud ERP. The risk of security breaches was cited by 32 percent of the respondents, while 17 percent mentioned risk of data loss. Unfamiliarity with cloud solutions also contributed to cloud shyness. About a third of the respondents pointed to a "lack of information or knowledge about the offerings on the market."
Jason Blessing, CEO at Plex Systems Inc., a Troy, Mich.-based developer of cloud ERP, noted that protecting and maintaining the integrity of proprietary data is a critical consideration for manufacturers.
“Not only do they want to be satisfied that no one is able to access their data, they also want assurances that they will have uninterrupted access to their data so there is little or no disruption in business continuity,” said Blessing.
Blessing said manufacturing firms have proprietary part and process information that must be protected from competitors, both foreign and domestic. ERP availability ranks as another prime concern. He added:
It’s also crucial for the manufacturing process to not be interrupted. Even a short unplanned outage that keeps a manufacturer from being able to receive, process, track, and ship parts can be extremely expensive for the company.
Signs of security
What should enterprises look for in a secure SaaS datacenter? Blessing listed a number of criteria:
- A datacenter must employ physical and electronic security measures appropriate for the data being protected. For a cloud provider, those measures should include restricted access to physical and network datacenter resources. At least two-factor access control should be in place, with access limited to a restricted group of employees.
- Appropriate monitoring of physical security must be in place (cameras and the ability to review past-recorded video).
- The building that houses the datacenter must establish certain physical access controls and logging. That step includes logging visitors and issuing badges. Blessing said visitors should never have access to the datacenter without an employee escort. And access control systems should log key card access at secure doors.
- A datacenter should establish similar access controls and monitoring for the network. Firewall rules should ensure that only those employees who need to access servers are granted that access. The scope of access should be limited to only the resources approved employees need to do their jobs.
- Anti-malware and intrusion/vulnerability protection should be deployed in appropriate network locations that don’t interfere with the proper functioning of systems and software.
- A datacenter should conduct routine vulnerability testing at the network, operating system, and ERP cloud application levels. Security logs should be reviewed on a periodic basis.
Organizations looking into SaaS ERP can ask questions about these security measures and how a given SaaS datacenter implements them. They can also ask a SaaS provider for audit reports, such as Statement of Standards for Attestation Engagements (SSAE) 16. A prospective customer can also request a datacenter tour.
“No company should consider adopting SaaS/cloud technology without a thorough review of the vendors’ security protocols and policies,” Blessing said.
Safer than in-house ERP?
SaaS vendors who institute the necessary controls end up with better security than in-house ERP systems. That’s the Panorama report's contention.
Panorama's experience has shown that cloud providers typically provide more secure and reliable solutions than any internal IT group ever could, which is an important point for executives to consider during the software selection process.
Blessing shared a similar view:
After explaining our approach to security and our use of two datacenters with redundant infrastructures which replicate data offsite, the potential client is usually satisfied that our security regimen far exceeds what they could support in an on-premise scenario.
Panorama's report suggests that message is failing to reach a significant number of potential cloud ERP buyers. SaaS providers probably need to redouble their communication and education efforts. And enterprises need to learn what questions to ask of cloud providers.