Balancing cloud ERP security with operations: continuous updates are not a ‘cure-all’.

Cloud adoption rates have certainly increased in recent years as migration of people, systems and data became simpler, costs have decreased and concerns over security eased. Shifting from on-premise to cloud ERP systems has brought a wealth of benefits to businesses, from reduced administrative burdens to lower capital expenditure. But cloud still has CIOs wrestling with questions around the system and operational security. CIOs need a way to avoid the risk of version lag, and not fall into the trap of risking operational security through untested update failure.

Weighing the pros and cons of cloud erp

Well-configured cloud deployment offers significant cost, efficiency and end-user benefits over more ‘traditional’ on-premise deployments, but no system is fully immune from disruption. The ‘evergreen’ approach of continuous updates provides a reliable, regular stream of security patches, bug fixes and incremental improvements – but its very nature poses challenges to IT departments and is certainly not an ERP cure-all.

When compared to the previous long-term, on-premise ERP strategy that can only be described as ‘find a version that works for you then sit on it for as long as possible,’ the Software-as-a-Service (SaaS) cloud model has very much established itself as a superior alternative.

Gone is the in-house management burden of quick fixes, patchwork integrations and rushed responses to emerging security exploits – an approach that often detracted from other business-critical IT tasks. By opting for an ERP system hosted in, for example, the Azure cloud, businesses can take advantage of thousands of dedicated staff with 24×7 availability on the vendor side, with yet more specialist teams focused on ensuring the cybersecurity of their SaaS solutions. The scale is simply incomparable.

For a case in point, we recently implemented a cloud-based Microsoft Dynamics 365 Business Central solution for charity Alzheimer’s Research UK, with enhanced reporting, remote access and enhanced security all part of the core benefits of a shift to cloud ERP. With a single solution, the charity was able to replace ageing financial software with limited remote availability and minimal data reporting features, introducing an advanced, cloud-based alternative in its place.

Skip the version lag – and security holes – with an ‘evergreen’ approach to updates

The Microsoft ‘evergreen’ approach to keeping ERP systems updated, whereby patches are automatically applied on a regular scheduled basis, is a major shift from previous approaches to updates held by many IT departments. Once deployed and customized to be fully functional, many businesses avoid ‘rocking the boat’ with updates or patches – often leading to a significantly outdated version.

The ‘evergreen’ approach takes the update burden out of the business’ hands, ensuring a cloud ERP system such as Dynamics 365 is always kept running on a supported and security-patched version, easing end-of-life concerns. This ensures businesses are not running versions with limited functionalities or known security vulnerabilities.

A testing challenge: outdated systems or operational disruption?

While this faster, predictable update cycle tightens systems from a cybersecurity perspective, the highly integrated, customizable nature of today’s cloud ERP systems can also be seen as a double-edged sword in terms of operational ‘security’. ERP vendors naturally cannot test these updates for every individual business environment – many of which operate highly customized or extensively integrated ERP systems – so there is a low-lying risk of operational disruption to a critical system. If an update does go ahead, the difficulties don’t end there as many businesses lack the time or resources to analyze all the release notes an ERP vendor produces. These notes contain details of the updates and it’s up to the business to take this responsibility in-house to see how a rollout would affect their system in terms of downtime and user disruption.

To ensure business continuity and no unexpected threats to day-to-day operations, having support from a managed service provider along with testing the update of patches on critical processes prior to deployment will be vital – a task that is increasingly being automated to ease the manual burden. Take the case of United Oilseeds, a long-standing Columbus customer which has gone on to become one of the UK’s most successful farmer co-operatives. Due to issues with a previous third-party infrastructure managed service, United Oilseeds reached out to Columbus to unite their application and infrastructure managed services. After an Azure migration project to modernize and futureproof

their ERP system, United Oilseeds began to see the benefits of a complete managed services package. The company has been able to eliminate the back-and-forth between separate providers, and the more proactive approach results in less downtime of a single point of contact for their managed services. The newer, more up-to-date infrastructure also enables them to maximize the ROI of their ERP system.

Support the all-important human element – application security is key

Unfortunately, the end-user is often the weak link when business-critical systems are compromised. Witness the 2021 major ransomware attack on the Irish public health system, which was triggered by an unsuspecting user opening a single infected document received via email. The Covid-induced mass shift to remote working – which also made cloud deployments a far more attractive prospect due to their cost-saving abilities and accessibility – has also increased the attack vector for cybercriminals, as many vulnerable personal devices with typically poorer security were connected to corporate networks. End-user training in online safety and cybersecurity best practices has never been so important – and for ERP systems, application security will also have a vital role to play.

But by taking a granular approach to security, IT departments can ensure ease of mind should a user account be compromised, without heavily impacting on user access to critical systems and data. Configured correctly, this spans detailed user types with varying privileges, audit trails and additional traceability measures such as automated checks. And with a cloud deployment, a single end-user account or device being infected will not result in catastrophic failure. Take a malware attack on a manufacturing company with operations running around the clock. A compromised on-premise ERP system linked to the factory floor and other back-end systems will require an entire shut-down to avoid further spread and damage – affecting operations, manufacturing output, and ultimately the bottom line. With a SaaS deployment, whereby a client on a single device is compromised, this will not be the case.

Cloud tackles one cause for concern – but tread carefully with updates

There are clear security risks for the traditional approach of finding an on-premise ERP deployment that works and then touching the infrastructure as little as possible – something that can leave

organizations running off highly outdated, vulnerable or unsupported versions. Yet the rush to embrace an ‘evergreen’ approach to updates must also be taken with an understanding of the security implications – cloud doesn’t solve all the issues and operational security remains the responsibility of the business.

IT departments will need to take a broad definition to ‘security’, spanning both protection from external threats and business continuity through sustained critical operations. To ensure long-term cloud ERP success, they must ensure their cloud deployment is correctly configured, security at the application level is fit-for-purpose, and updates are thoroughly tested to ensure maximum compatibility.

By Chris Clifford, Technical Solution Architect, Columbus UK.