In the early days of the cloud, IT worried about security. After all, if your data isn’t in your own hands, how do you know it’s safe?
Fortunately, it is cloud vendors’ business to make their systems secure and they have layers of professionals and security tools to do so. Today, one could reasonably argue that cloud services from reputable providers are safer than in-house applications.
Safer yes, within the confines of the provider’s infrastructure. But there is one key area of vulnerability – end user access. In order for cloud services such as ERP or CRM to provide business value, your end users, and sometimes even your partners, need to access the system, get at the data, and update records. If a hacker gets the keys to this kingdom, they can see what your end users see, steal your data, or corrupt the system.
All this data is certainly precious – often the most important and confidential data in an organization. It can include:
- Company financials
- Supply chain data
- Customer information
- and more
Why Cloud ERP and CRM are So Hot
ERP and CRM are complex software systems to install, use and manage – and usually pretty inflexible. And expensive. The cloud changes all that. The service provider installs and largely manages the software. And the large upfront capital expense is replaced with a lower predictable monthly fee to the customer. Even if not cheaper, it is easier for your accountants to digest.
IT also is freed from the yoke of managing the server infrastructure and storage to run the software – a massive relief.
End users benefit as well. Instead of needing to be on the LAN or logging onto a VPN, all they need is a web browser and most any device that can run one.
Meanwhile a report from ROI specialist Nucleus Research finds that cloud ERP customers have these benefits:
- 43 percent faster payback
- 42 percent higher return on investment
- 50 percent less spending on initial personnel
- 80 percent less spending on consulting
All this is why cloud ERP and CRM are so hot.
Why Cloud ERP and CRM Can Be Dangerous
Despite great security gains amongst cloud service providers, IT remains worried whenever their applications and data are off site. And because all you need is a browser and credentials to get to data rich ERP and CRM apps, there is indeed a risk.
In fact, hackers can use standard password cracking tools to get into your systems. Brute force and other attacks are readily available on the web. Modern hackers aren’t as concerned with showing off or making a statement like their predecessors – many are criminals who just want to profit off your data. The critical business data housed in ERP and CRM apps can be sold to competitors, or used as the basis of extortion.
Securing the Cloud
ERP and CRM cloud services do have good basic protections, and IT should exploit this security to the hilt. But that is not the end-all – the security buck stops with the IT department which bears the ultimate responsibility for keeping business critical data in the cloud safe.
End user access is the critical last mile security issue. Years of experience have taught us that end users (many at least) can’t be trusted with passwords. They tend to use passwords that are easy to remember, which makes them easier to crack. And if they are forced to use complex passwords, they often write them down where they can be discovered – sometimes on a Post-It note stuck to their laptop or pinned to their bulletin board or cubicle wall.
We are largely stuck with passwords as a means of authentication, but that doesn’t mean we have to accept their weaknesses.
Citrix CSO Stan Black suggests looking at authentication issues when choosing a cloud application provider. Black further advises that employees, contractors and others that access your cloud apps always use multifactor authentication. For employees or contractors trying to access your cloud “make sure they’re required to provide the right level of authentication before they’re able to access data from a new location or device. For contractors, make sure you set parameters on how long they’re able to access the data and from where,” Black continues.
Unfortunately you can’t wave a magic wand and have instant effective multifactor authentication. That’s why a study from the Ponemon Institute revealed that 63 percent said user identity management was harder in the cloud that on-premises.
The answer is a proper Identity and Access Management (IAM) solution that includes both multifactor authentication (MFA) and single sign-on (SSO).
Here are 8 issues you should look at when considering IAM, at least according to a Momentum Watch report:
- 2-factor (or multifactor) authentication
- Single-sign on
- Active Directory Repository (LDAP)
- Account creation/deletions
- Role-based access control
- Integrating cloud-based identities
- HR process integration
Let’s look more closely at MFA. First, it is interesting to note who uses this high-level form of authentication. Aite Group analyst Julie Conroy observed that “so many criminal underweb sites require two-factor authentication (2FA) for admission.” The irony is that so many victims of criminal hackers themselves use weak passwords and bare bones authentication.
So what is MFA exactly? It means there is more than one way of verifying a user’s identity. These can include something you know such as your mother’s maiden name, something you have such as an ID card or key, or something you are, which can be biometric items such as iris scans or fingerprints.
The Power of Single Sign-On
SSO is viewed by most as a convenience – it is so much easier to access multiple apps, services and web sites with one set of credentials than use a different set for each thing you want to get to. But there is also a security benefit with SSO. With it, you can have one complex password that a user actually remember, and can change it at regular intervals. This is safer than having so many passwords you keep them someplace vulnerable, such as a piece of paper, to remember them.
To make SSO even safer, team it with multifactor authentication. This is also critical because if a hacker gets your SSO credentials they can access all your apps – negating the safety advantages of SSO.
If you interest in IAM is piqued, take a look at our two handy checklists, 12 Questions You Need To Ask Your Multi-Factor Authentication Vendor and 10 Questions You Should Ask Your Single Sign-On Vendor.