Cloud transformations come with obvious benefits. Instead of buying, downloading, and maintaining software on-premises, you can connect to a third-party's application through the internet. But the rewards of cloud transformation come with equal risk and require a methodical approach to reviewing processes and policies that will secure the new ERP cloud environment.

In this first part of our two-part series on risk management in the cloud, we will explore the nuances between on-premise solutions and the cloud.

A secure move to the Cloud requires thorough planning and consideration. During a secure Cloud transformation, you should evaluate five key components of your risk framework:

1. Internal Controls
2. Application and Data Security
3. User Identity and Governance
4. Evolving Risk Management
5. Six ways Cloud differs from On-premises solutions
   

Internal Controls

Internal controls help protect you from fraud and are a system to protect the company's interests. Controls also ensure that your company complies with laws and regulations in handling financial data. During a Cloud implementation, you should review the following:

1. Access controls - role design and user assignment of roles to ensure that access entitlements comply with policies.
2. Business process controls - the processes, procedures, and protections that shield your company from unintended or inappropriate actions.
3. IT General Controls (ITGC) - applies to all systems, components, processes, and data for a given organization that help ensure you appropriately manage and mitigate risk.
4. Application configuration controls - the control processes vary based on the purpose of the application, but the intent is to help you ensure the configuration of the ERP application is secure.
5. Control automation – look for ways to automate controls to reduce errors and manual efforts.

Assessing these key controls is an essential first step in the transformation process because controls that work in an on-premises environment don't always translate to the Cloud. It is also necessary to consider the new risks that a Cloud transformation will introduce to your environment. For example, user access is a major concern in the Cloud compared to On-premises solutions. Businesses should create controls around new risks to protect the company and its data from bad actors.

Application and Data Security

The next element in a secure transformation addresses application and data security. This step puts your application security tactics into action. These practices enforce the controls you identified in during your controls assessment. These are the mechanics of access management and the ways of controlling what information users can access. These elements include:

• Application roles - assign predetermined user privileges based on their job function (AP Manager or System Administrator).
• Segregation of Duties - security practice that distributes the responsibility of a process to reduce the risk of fraud.
• Privileged access - granting special access or capabilities outside a standard user to secure the infrastructure and applications of the business.
• Authentication - how an application recognizes a user's identity.
• Data protection - User privacy laws regulate the types of data that can be collected, how that data can be used, and how data should be stored and protected.

User Identity and Governance

User identity and governance administration (IGA) involves managing user identity and access controls, ensuring you give the proper access to the right resources at the right time. IGA system(s) should also assess risks and create reports for audit compliance. The following are operational mechanisms that control how your application governs user access.

• Policy-based access control (PBAC) – as opposed to role-based access control (RBAC), which is controlled by abstract role assignments. PBAC governs based on access logic defined by your access policies. For example, users who create suppliers are restricted from paying suppliers.

• Identity access management - the policies and processes in place to authenticate, authorize and revoke privileges when no longer needed.

• Access certification - ensures that only legitimate users can access applications and systems.

• Enterprise and application role governance - provides a structured and systematic way for an organization to make important decisions about its applications.

• Enterprise roles - manage user entitlements across all systems, security attributes, and applications.
  

Evolving Risk Management

Evolving risk management involves setting up a structured and systematic way for your organization to make important decisions about its new risk profile in the Cloud. These include assessing, measuring, and evaluating alternative ways to mitigate risk.

• Internal controls management - is how an organization monitors its controls to ensure they work as expected.

• Application change and release management – is a detailed plan documenting how an organization will handle the impact of quarterly releases and updates to their Cloud environment.

• Integrated risk management solutions - focus on the involvement of the entire organization, not just IT, in achieving comprehensive risk management.

You also want to mitigate implementation risk when your organization buys a complex new technology that costs millions. Poorly executed and inadequate project management will cause tremendous risk and can potentially cost millions of dollars. Because of the complexity of Cloud implementations, organizations typically partner with a System Integrator (SI) to manage the Cloud implementation. To ensure that your SI mitigates implementation risks while managing your budget, a platform such as SafePaaS can be used to :

• Monitor and approve key project milestones - SafePaaS is a complete collaboration controls platform that allows SIs to mitigate project risk and ensure timely projects.

• Evaluate the adequacy of key work products – SafePaaS Application Lifecycle Controls enable SIs to enforce change controls and reduce costly application maintenance and upgrade errors. This allows Project Managers to track project status and issues effectively by monitoring activities against the task assignment in the project plan. 

• Establish success factors and deployment criteria - SafePaaS can improve the application quality assurance process by automating the User Acceptance Testing (UAT) program to ensure that the application controls and key configurations are evaluated for effectiveness.

Six ways Cloud differs from On-premises solutions

1. Hosting

One of the most significant differences between On-premises and Cloud solutions is hosting. Hosting refers to the location of the databases, servers, and software. As the name implies, On-premises solutions are physically located on office property. With a Cloud solution, a third-party hosts the application and databases offsite, and you can access it through a web browser.

Hosting considerations

• A third party manages system configurations.
• Fixes in the Cloud could take longer because your IT department isn't able to access the databases.

2. Application security

Application security in the Cloud is incredibly different compared to On-premises. A security role defines how users, such as HR Analysts, access different types of records. With On-premises, you have greater control over the security roles, responsibilities, and privileges, making changes. 

In the Cloud, your ability to control the roles is the same. However, the security model is different in the Cloud. Organizations that have made significant customizations to their user roles may find the adjustment to managing roles in the Cloud difficult because your access controls are driven by security privileges, attributes, and inherited privileges and not just the security profile.

Application security considerations

• Segregation of duties and privileged access rule sets must be reviewed and address new entitlements and privileges.       
• Application security design changes add complexity to the segregation of duties and privileged access management.            
• Role migration to Cloud is manual.

3. Roles and responsibilities

As mentioned previously, On-premises solutions are highly customizable and can be built to fit business requirements. User roles can easily be designed and deployed. Cloud security architecture, on the other hand, protects the infrastructure, data, and applications. Because Cloud security architecture is complex, it presents challenges in customizing roles.

Roles and responsibilities considerations

• Customization of roles in the Cloud incorporates various components such as roles, privileges, and entitlements.    
• Many ERP Cloud "seeded" roles contain inherent SOD conflicts.    
• Seeded roles grant excessive access to configurations and sensitive data.          

4. Release management

With On-premises solutions, if a change is to be introduced into the system, it will take months to deploy, but planning is more straightforward.

In Cloud solutions, IT still controls critical features such as security and integration, but cross-departmental collaboration is needed to plan for releases. The plan should include clear rules and definitions on how and when releases will be managed.

Release management considerations

• Increased reliance on change management and ITGC for testing and patch releases
• IT activities revolve around the vendor calendar.

Quarterly patches introduce risks from modifications to functionality and security.   

5. Controls monitoring

In On-premises solutions, you can manually monitor changes in your database. If a change is made to suppliers, master data, or configurations, running a report against your database will reveal the differences. In the Cloud, configuration changes can’t be directly monitored in the database because you don't have access to the infrastructure. Without an automated solution, custom reporting is needed to monitor controls, which can be cost-prohibitive. SafePaaS offers an automated controls solution to streamline controls monitoring. 

Change monitoring considerations

• Access to the database in the Cloud is limited.
• Automated solutions like SafePaaS can monitor select configurations and settings through audit rules.

6. Access Controls

Controls in your On-premise solution will not cover risk in the Cloud because the security architecture in the Cloud is different. When moving to the Cloud, you should reassess your controls to ensure they address risk in your new environment.

Controls considerations

• Operating and IT process controls require reevaluation to integrate role changes and changes in the timing of application management.  

Once you have assessed the differences between your current on-premise solution and the unique implications of a cloud environment, you will be able to address the specific security and risk challenges your organization faces.

The decision to move to the Cloud is substantial and may not be for everyone. Before deciding, it's crucial to understand the needs of your business. Evaluating the changes a move to the Cloud will have on your business is a fundamental first step in the decision-making process. Customers' demands and constant changes shape the current market. To remain competitive, businesses must maintain flexibility and create an IT infrastructure that can keep pace with the speed of business growth. The cloud offers this flexibility and scalability, but special considerations to the new security challenges in the cloud must be addressed to ensure that risk is mitigated during your transformation.