Cloud ERP Brings Greater Security But Treat Updates with Caution to Minimise Operational Disruption

By Chris Clifford, Principal Security Architect, Columbus UK

Over recent years many businesses have transitioned from on-premise to cloud ERP as people, systems, and data have become more manoeuvrable, with lower costs and tighter security. The transition comes with an abundance of business benefits from lowered administrative burdens to lower capital expenses. Despite this some CIOs still need a little more convincing to fully move their enterprise software into the clous, citing concerns over version lag and untested updates causing operational disruptions.

Balancing the good and the bad of cloud ERP

No system is truly exempt from trouble, no matter how well-configured the cloud and all its additional cost, efficiency, and end-user benefits. By adopting an ‘evergreen’ approach to updates CIOs can ensure a consistent trail of security upgrades, big fixes, and steady improvements – however this doesn’t mean IT departments will not face some challenges along the way.

For a long time, businesses have used on-premise ERP as it works best for their way of working with little operational disruption, however the Software-as-a-Service (SaaS) cloud model has now proved a far better alternative to this.

With legacy on-premises solutions, IT teams were often rushed of their feet to respond to security issues and to find a fix or patchwork solution – leaving other IT tasks delayed or abandoned. With Cloud based ERP systems this is no longer the case for businesses as they can take advantage of their vendor having a dedicated team working 24×7 to ensure their SaaS system is secure.

For a case in point, the charity Alzheimer’s Research UK gained improved reporting, remote access, and upgraded security when the Columbus team implemented a cloud-based Microsoft Dynamics 365 Business Central Solution for them. This cloud-based ERP system allowed the charity to upgrade its old financial software which had limited remote accessibility and restricted them from creating clear data reports.

Adopt an ‘evergreen’ approach to stay secure and up-to-date

The Microsoft ‘evergreen’ approach to keeping ERP systems updated, whereby patches are automatically applied on a regular scheduled basis, is a major shift from previous approaches to updates held by many IT departments. Once deployed and customised to be fully functional, many businesses avoid ‘rocking the boat’ with updates or patches – often leading to a significantly outdated version.

The ‘evergreen’ approach takes the update burden out of the business’ hands, ensuring a cloud ERP system such as Dynamics 365 is always kept running on a supported and security-patched version, easing end-of-life concerns. This ensures businesses are not running versions with limited functionalities or known security vulnerabilities.

The always-on challenge

While this faster, predictable update cycle tightens systems from a cybersecurity perspective, the highly integrated, customisable nature of today’s cloud ERP systems can also be seen as a double-edged sword in terms of operational ‘security’. ERP vendors naturally cannot test these updates for every individual business environment – many of which operate highly customised or extensively integrated ERP systems – so there is a low-lying risk of operational disruption to a critical system. If an update does go ahead, the difficulties don’t end there as many businesses lack the time or resources to analyse all the release notes an ERP vendor produces. These notes contain details of the updates and it’s up to the business to take this responsibility in-house to see how a rollout would affect their system in terms of downtime and user disruption.

To ensure business continuity and no unexpected threats to day-to-day operations, having support from a managed service provider along with testing the update of patches on critical processes prior to deployment will be vital – a task that is increasingly being automated to ease the manual burden.

Take the case of United Oilseeds, a long-standing Columbus customer which has gone on to become one of the UK’s most successful farmer co-operatives. Due to issues with a previous third-party infrastructure managed service, United Oilseeds reached out to Columbus to unite their application and infrastructure managed services. After an Azure migration project to modernise and futureproof their ERP system, United Oilseeds began to see the benefits of a complete managed services package. The company has been able to eliminate the back-and-forth between separate providers, and the more proactive approach results in less downtime of a single point of contact for their managed services. The newer, more up-to-date infrastructure also enables them to maximise the ROI of their ERP system.

Poor end-user networks call for better application security

Application security for ERP systems and end-user training in cybersecurity and online safety have never been so important as the end user is often the cause of a critical business systems being compromised. Covid has forced a rise in remote working, this has resulted in an increase in vulnerabilities, cyberattacks and cybercriminals, as many end-users connect their corporate devices to their personal networks with poorer security and protection. This was the case in 2021 for the Irish public health system, when a user unknowingly clicked on an infected file inside an email causing a major ransomware attack.

When an IT department takes a security-focuses approach in the cloud, they can give users peace of mind should their account be breached and have no effect on them accessing crucial systems or data. This will span across all user types with different privileges, audit trails, and additional traceability measures such as automated checks to avoid the possibility of one user bringing down entire operations.

For example, if a manufacturing company with operations running 24×7 suffered a malware attack, the whole business would have to stop if their on-premise ERP system was compromised due to it being able to spread further to factory floor back-end systems. This would have a catastrophic effect on the business through stopping operations and manufacturing output. In comparison if the manufacturing company had a SaaS deployment with built in security protocols this could be isolated and allow other systems to continue unaffected.

Setting up a security-first approach now and always

It is of critical importance that businesses have evergreen cybersecurity measures and end-user training in place when deploying cloud ERP. When combining the right cloud-based system and the right managed services support, organisations can unlock the business benefits that has caused the cloud service market to soar – from cost reduction and improved efficiency to skipping version lag and security holes – without compromising their cybersecurity.