Four Ways The Onapsis Platform Can Help Mitigate Security Risk During an ERP Cloud Migration

Your Enterprise Resource Planning (ERP) system, whether SAP or the Oracle E-Business Suite (EBS), is vital to your organization’s central processes. It can support all business functions including finance, manufacturing, procurement, ordering, services, human resources, and more. Keeping your ERP system functional and performing efficiently and at a high level is an absolute must. But, in order to optimize performance, making changes is necessary. One of the biggest challenges with ERP system changes is that these changes can create security and compliance risks or expose new exploit opportunities on existing vulnerabilities. 

Some common change scenarios to your ERP system include applying security patches, updating servers, upgrading software versions, and migrating servers and applications to the cloud. While each of these changes can introduce varying degrees of risk, this blog focuses on a major change agent that is trending today–ERP cloud migrations.

ERP cloud migration projects already exist at many organizations in various states – from idea to implementation. Are you moving the servers that support your ERP system to a cloud service? Or are you moving your entire ERP system to the cloud where it will also be managed by SAP, Oracle, or another managed service provider? This blog offers a few tips on how to manage and mitigate the risks from start to finish to help ensure a successful migration and how The Onapsis Platform can help.

1. Baseline your vulnerability posture as part of the initial scoping of your migration project

Before starting your ERP migration, start with ensuring your systems are configured correctly, and that you have the proper controls in place. Using The Onapsis Platform (OP) Assessment Scanning, you can run a vulnerability scan to baseline the “Before Migration” risk posture of the system. This same scan can be run nightly or weekly to establish any deviation from your baseline. OP’s Issue Report will give you precise indicators, so you know exactly what to fix as well as see your progress as you address identified issues.

2. Remediate critical and high risk vulnerabilities as a cloud migration prerequisite 

The Onapsis Research Labs have observed exploit attempts on new cloud ERP deployments within three hours of going live, so it is absolutely critical to reduce the risk exposure of your ERP’s vulnerability footprint before moving to the cloud. The vulnerabilities listed on the OP Issue Report are broken out by categories (e.g., configuration, missing patches, authorization, code) that can be easily reviewed by a triage team. Generally, most vulnerability triage teams are matrixed teams of resources across your SAP Basis team, your SAP Security/Roles/GRC team, your SAP development team, and possibly someone from a risk management team that reports to the CISO. With Onapsis, this vulnerability triage team can move more efficiently and effectively, with severity information, business impact, and technical solution guidance that aids in prioritization and accelerates mitigation and remediation of each identified vulnerability.

3. Remain in control DURING the migration 

The migration team will probably refer to the “in-between” phase as the “cutover phase.” During this cutover phase, SAP systems are generally duplicated from the current “legacy” environment into the new data center or cloud environment.  

The Onapsis Platform has the scalability to reach into BOTH environments to perform vulnerability scan comparisons between your new environment and the pre-cutover environment. Report comparisons provide valuable risk information that helps measure your cutover team’s adherence to service levels around maintaining a low risk posture, with the goal of ensuring that no additional vulnerabilities have been introduced to your new SAP environment during the cutover phase. Generally, we see clients leverage the OP vulnerability scans as a critical part of the “go/no go” decision-making as they move from one phase to the next (i.e., move from freeze to exit cutover for go-live). Additionally, leveraging application security testing during your application development cycles and monitoring transports ensures compliance and risk mitigation before custom code goes into production in your new cloud environment. 

4. Remain in control AFTER the migration

With a successful “go-live” announcement from the migration team, your organization’s most business-critical applications and important assets–the crown jewels of your business–are now in the cloud. This introduces new levels of risk for the organization. Whether it was a migration to a private cloud or a managed service provider, you still need visibility into your complete ERP landscape to ensure it remains secure and compliant since your mandate to manage risk to your business-critical systems remains the same. The vulnerability scans configured during the project are carried forward, ensuring that you identify any new vulnerabilities for your most critical systems. Additionally, here we generally see clients expand their OP footprint with continuous monitoring to help detect zero-day threats to their landscape between vulnerability scans. This continuous monitoring easily fits into your existing Security Operations Center (SOC) technology stack (e.g., SIEM, XDR, ticketing systems) and workflows. OP helps you understand your true risk posture for your overall ERP landscape, from on-premises deployment to your cloud-migrated systems.

There is no doubt that moving an ERP system to the cloud is a massively complex project for any organization. Wherever you are in your migration journey, Onapsis can help. To help give you the confidence to make your ERP cloud migration project a success, contact our team today.