securing your erp journey to the cloud - kpmg · securing your erp journey to the cloud kpmg.com a...

Securing your ERP journey to the cloud

kpmg.com

A framework for mitigating risk in your cloud ERP

© 20XX KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS XXXXXX

Up, up, and awayThe sky’s the limit for your enterprise resource planning (ERP) system. We mean that quite literally. If your ERP isn’t in the cloud already, it will need to be there soon if you want to stay competitive.

And while a cloud-based ERP presents a host of advantages and opportunities, it also opens up a world of risk – from hackers, cyber criminals, and even your own employees.

The good news is that there are steps you can take to mitigate cloud ERP implementation and operational risks. Perhaps the most important is upfront planning, That is, before implementing a new cloud ERP, or taking steps to mitigate ongoing risks of your current cloud ERP solution, you carefully plan and budget for in depth security and controls. ERP risk – and requisite security and controls – should be at the forefront of any cloud ERP business and IT discussions.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 810774


Moving ERP to the cloud Many organizations are already operating an ERP system that’s housed on premises (i.e., a non-cloud ERP). An ERP solution helps organizations manage financial and operational risk while boosting performance and efficiency. It can help them monitor operations (including supply chain logistics), automate internal controls and enhance security and compliance measures.

But establishing an on-premises ERP can be quite costly, averaging approximately $8 million, which includes software, hardware, consulting, personnel, and training.

A cloud-based ERP has many risk and control advantages over an on-premises ERP. For example, a cloud ERP offers more powerful processing power, enabling you to analyze far greater amounts of current and historical data, identify anomalies in patterns, and make smarter, performance-based decisions. It can also be accessed from anywhere at any time (including mobile devices), and offers more operational benefits in managing your HR, finance, production units, and supply chain logistics.

In addition, many cloud-based ERPs have built-in templates that help companies protect themselves again risk from both internal and external sources. This saves companies the time and expense of having to design, test, and implement certain security measures, such as segregation of duties (SoD) and heightened approval processes, which may be required with on-premises ERP apps.

And then there’s the cost. It’s considerably less expensive to establish a cloud-based ERP, and it can reduce ERP operational costs by more than 50 percent.1

In light of all this, it’s no surprise that the cloud is where businesses are heading, with 85 percent now using some form of public cloud service.2

Don’t lose sight of the risksHowever, a cloud-based ERP also comes with fraud and cyber security threats. And these threats are both increasing and varied in nature. In fact, nearly 40 percent of firms have found it difficult to detect and responding to cloud security incidents, making it the most cited cyber security challenge.

Unlike an on-premises ERP, a cloud ERP can be accessed by the public via a link. And once an unauthorized individual gets the link, acquires an employee’s credentials, and gains access to a firm’s ERP application and confidential data, the organization can be in a world of trouble, not to mention that it may be difficult, if not impossible, to get the information back.

This is why cyber security concerns are at the forefront of most organizations. According to the 2018 Oracle and KPMG Cloud Threat Report, 89 percent of companies are increasing their cyber security spend in the next year, with almost 45 percent expecting a jump of 77 percent. And cloud security is the area that will receive the most cyber security funding, specifically cloud infrastructure security and cloud application security.3

1 10 New Reasons to Move ERP into the Cloud, Forbes.com, Sasha Banks-Louie, April 4, 2017.

2 ESG Master Survey Results, 2017 IT Spending Intentions Survey

3 Oracle and KPMG Cloud Threat Report, 2018



1Securing your ERP journey to the cloud

https://advisory.kpmg.us/articles/2018/cloud-threat-report-2018-oracle-kpmg.html

https://advisory.kpmg.us/articles/2018/cloud-threat-report-2018-oracle-kpmg.html

https://www.forbes.com/sites/oracle/2017/04/04/10-new-reasons-to-move-erp-into-the-cloud/#24e603d1c204

Upfront planning is essentialIt’s essential that you take sufficient preventative measures before your organization’s data evaporates into the cloud.

When a company anticipates taking its ERP solution to the cloud, its primary focus typically is on what the new technology can do to enhance operations, production, marketing, sales, and so on. The controls or security aspects usually take a back seat in terms of priority and budgeting. In many cases, the company incorrectly assumes that the controls and security processes it had with its aged on-premises ERP will work just fine within the cloud-based ERP.

Thus, attention to security and controls remains an afterthought until the cloud ERP solution is live or well into the implementation phase.

We strongly recommend that companies include in-depth cloud ERP risk, security, and controls considerations as an integral part of their upfront planning process. That’s because architectural decisions about the structure of the cloud ERP and how it will operate are made during the planning stages. If you need to make security and control changes later in the implementation process or after the system is live (e.g., restricting access to systems based on job code, adding preventative controls, etc.), it can impact functionality and efficiency.

Also, the later you make the changes, the more costly it is to get the cloud ERP to effectively mitigate risk. In addition, while these fixes are being made, you leave your company more vulnerable to attacks from both external threats (via cyber attacks) and internal threats (e.g., employees may be able to circumvent approval processes).

How much to spend?We recommend that organizations allocate five to 10 percent of their overall cloud ERP implementation budget to cloud risk, security, and controls. Companies that are required to have strong controls in place, for instance, financial services firms, tend to spend closer to the 10 percent mark. But organizations that are willing to take on more risk, or aren’t subject to special compliance regulations, may opt to allocate an amount closer to five percent.

This recommendation is in line with the results of a recent KPMG survey of 300 executives across multiple industries.4 The survey, titled “Risk is Real,” revealed that three quarters of the executives plan to allocate three to 10 percent of the total cost of a future cloud ERP implementation to security.

Another indication that companies are aware of the potential risks of cloud-based ERPs is that more than 40 percent have appointed a dedicated cloud security architect. And there’s good reason for doing so: 90 percent of companies report that at least half of their cloud data consists of sensitive information.5

4 KPMG ERP Controls Survey 2017: Risk Is Real

5 Oracle and KPMG Cloud Threat Report, 2018

Typically we recommend that 5-10 percent of the overall implementation budget should be allocated to security and controls.

– Laeeq Ahmed, Managing Director, KPMG Advisory

A preventable cyber security breachHere’s how a little upfront security and controls planning prior to going live with its cloud-based ERP could have prevented a hotel chain’s loss.

The company's controller was “spearfished.” He had responded to an email he thought was sent by a colleague; instead it was sent by fraudsters. When he logged in to a mirrored site, his credentials were stolen and the criminals were able to gain access to his ERP account. They then discreetly changed a supplier’s bank account information so that company checks were routed to a fake bank account controlled by the criminals.

But with a little foresight, the company could have prevented the loss (if not the spearfishing incident itself). It could have easily implemented an automated process whereby supplier bank account changes had to be approved in the system by a second party.



https://advisory.kpmg.us/articles/2017/erp-controls-survey-2017.html

How to secure your Cloud ERP framework The following framework can help organizations take maximum advantage of cloud-based ERP capabilities while protecting their sensitive data and transactions from fraud and cyber security threats.

KPMG’s securing the cloud ERP framework

Applicationcontrols

Cyber & DataSecurity

SecurityOperations

UserAdministration &

Governance

ApplicationSecurity

Let’s take a closer look at each of the elements:

Application controlsThe key to application controls is automation and prevention; the more you can automate your processes and controls (and the less left to manual action), the better the odds of preventing or mitigating fraud or theft risk.

Cloud-based ERPs typically include application controls designed to help automate security and controls for financial matters, such as purchase orders, payment of invoices, ledger entries, and

so on. For example, your cloud ERP app should contain built-in approval processes for several different types of transactions. In other words, an authorized approver

should have to log into the system and approve a transaction within the app in order for it to continue on to the next step in the process; a verbal, paper or email authorization will not suffice.

Organizations acknowledge that automating their cyber security programs (e.g., updating firewalls, quarantining affected systems) is critical to combat cyber attacks and mitigate damages. More than 80 percent of cyber leaders suspect that employees do not follow cloud security procedures, so the more that can be automated, the better.

Accordingly, nearly half of surveyed firms report that they’re evaluating and planning for security automation, and an additional 35 percent said they’re actively investing in automation solutions.6

Application security

Application Security

— Adaptive Authentication

— Role Based Access Controls (RBAC)

— Cloud Application Security Architecture

— Sensitive Access & Segregation of Duties

A guiding principle to cloud ERP security is that the same individual shouldn’t be able to control all aspects of a transaction. In other words, a person shouldn’t be able to make a purchase, create an invoice, approve the order, make the payment, and post the journal entry. Rather, the process should require multiple individuals signing off at various steps in order for the transaction to proceed. This concept, generally referred to as SoD, serves as a ”checks-and-

balances” measure or control that mitigates the risk of fraud or theft, especially by employees.

It’s true that this multi-step approval process can sometimes slow down operations. But this issue can

Application Controls

— Business Process Controls

– Manual

– Configurable

– Automated

— Enhancement & Configuration Controls

— Conversion & Interface Controls

6 Oracle and KPMG cloud threat report, 2018.© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 810774



be addressed by tailoring how it’s applied. For example, you can allow for the same individual to order items, pay for them, and post to a journal, but require an alert to be sent to another party to approve or question the transaction if it exceeds a set amount, say $10,000.

A cloud-based ERP can also be configured to apply “role-based” access controls. In other words, permission to access a system or approve a transaction is based on the user’s title or job code. This addresses security issues created when individuals are promoted or move to another department, and get new access and approval authority, but retain their old access/authority. With a roles-based security measure, individuals automatically gain and/or lose access/approval authority; there should be no “slipping through the cracks.” HR and IT will need to work together to coordinate the SoD and role-based control features.

Adaptive authentication is another design feature that can be configured for use in a cloud ERP. This security feature sends an alert or blocks a transaction if it detects an individual signing in from two different locations at or around the same time in a manner that seems suspicious.

Also, nearly half of companies surveyed in our recent survey with Oracle have adopted multi-factor authentication (MFA) to protect their most sensitive and mission-critical assets, and another 29 percent use MFA to authenticate access to a wider variety of systems and data assets. MFA requires the use of two or more independent credentials to access a system, (e.g., swiping a card and entering a PIN, entering a password and a number generated by a token, or swiping a card, scanning a fingerprint, and/or answering

a security question). This MFA approach can also be used in conjunction with adaptive authentication.

Cyber & data securityIt takes more than just technology upgrades to prevent and/or mitigate cyber and data security risk. You need the joint effort of people, process, and technology to generate maximum cyber and data security protection.

A potential roadblock to establishing synergies and cooperation is the different world view of the business and IT department about cyber security. Because of their advertised operational and efficiency advantages, many organizations tend to adopt cloud apps and services quickly, without applying the proper

scrutiny. This often puts the business at odds with the IT department, which typically prefers a more risk adverse approach to cyber and data security.

IT and cyber security leaders should meet with business leaders to get a better understanding about how the business is using the cloud ERP solutions in the first place. At the same time, the IT leaders can explain the need for stringent cyber security policies, processes, and controls. This can help the organization strike a balance between enabling the secure use of the cloud solutions and data while mitigating associated risks.

The chart below illustrates the most common actions organizations are taking to bolster their cyber security defenses. Employee awareness and training programs are reported to have the most positive impact on cyber security, closely followed by an increased cyber security budget and more training for cyber security team members.

Improving cyber security defensesCreated or increased end-user/employee awareness and training

programs to better educate them about cybersecurity threats

Increased our security budget

Trained our security team on new threat types and best practices

We have employed controls to automate protecting vulnerablesystems from being exploited

We have increased the frequency in which we patch systems

We are now conducting more regular penetration testing to identify vulnerabilities

We have engaged with a managed security services provider (MSSP) to augment our staff and/or to provide additional

capabilities wecould not staff

By understanding the behavior of successful attacks, we have beenable to harden our defenses

Purchased security technologies in addition to those used in the past

31%

29%

29%

26%

26%

25%

24%

23%

20%

Source: Oracle and KPMG Cloud Threat Report, 2018

Cloud Security Operations

— Enhancement Management for Security & Controls

— Cloud ERP Security & Controls Operations

Security operationsCyber threats are constantly changing and evolving, and so must your cloud ERP security operation. It’s unlikely to work well if it’s done piecemeal, narrowly targeted to address a specific issue, or forgotten about once put in place.

For example, an organization’s cloud security operation should

ideally feature continuous monitoring capabilities that can detect threats or anomalies that might appear. In addition, it needs to include a process that analyzes cloud application updates as they’re released. This lets you know what new capabilities have been introduced, how the updates impact your operational processes and internal controls, whether you want to adopt them (or is it automatically applied), and whether you need to update your control framework.

Cyber & Data Security

— Information Protection

— Cyber Security

— Business & Technology Resilience

— Privilege Administrative Access



The illustration below sets out a framework for a cloud security capability assessment program designed to identify and remediate risks:

Business Agility, Speed and Innovation

Business Units and Customers

Finance andOperations

Engineering and Development

Security and Operations

Audit, Legal, Risk, and Compliance

Spend and RiskReduction Optimization

Visibility andReporting

Data Security and Threat Protection

Compliance

Governance and Operations

Cloud Security Fabric (Tech-enabled Solutions)

Information and Privacy Protection Identity and Access Management

Threat and VulnerabilityIncident & Crisis Mgt

Risk and Compliance Management

On-boarding,Delivery and Operations

Strategy and Governance

Security Architecture

Key Stakeholders Key Outcomes

DLP/ContentClassification

DeviceManagement

ConfigManagement Logging Monitoring Auditing Fraud and forensics

Configuration Security

Credential andprofile management

SSO andfederation

Authentication and risk based acess

Authrization DirectoryServices

Privilegedmanagement

EncryptionManagement

Apps firewall

User behavioranalytics

User administration & governanceUser administration and governance is the method by which organizations handle user access management and certification, password management, and the use of user analytics.

As noted earlier, companies must ensure that their user

access management processes take into consideration employees who change positions. Applications can be configured so that a user’s access automatically changes/evolves based on function, business unit, location and other criteria based on his or her HR record.

So, for instance, if an individual is promoted from an accounts payable (AP) clerk to AP manager, his job code changes, and this automatically changes his access authority. In addition, proper controls should be in place to ensure that user access changes are actually made.

A strong password management application is needed to generate, retrieve, and store passwords. Generating a unique password and/or requiring passwords to be changed periodically (e.g., every three months) reduces the likelihood of fraud or a cyber event.

The governance process should also require auditors – internal or external – to come in and examine how the cloud ERP program is functioning. They should certify what is working and recommend ways to improve where it is falling short. They should be using the latest D&A software so they can review the large amounts of data flowing through the system.

You should also have a process in place to integrate your current on-premises ERP with the new cloud ERP system. This can streamline your processes and help reduce risk.

User Administration & Governance

— User Access Management

— Password Management

— User Access Management

— User Analytics




Cloud ERP risk control action steps The following action steps highlight some of the key points we’ve discussed in this report. While you can’t completely eliminate the risks inherent in a cloud ERP solution – or in any application for that matter – these actions will increase your chances of preventing and detecting fraud events or cyber breaches, and mitigating potential losses.

1. Plan ahead: Security and controls considerations must be part of your upfront cloud-based ERP planning process. It’s disruptive, and exponentially more expensive and time consuming, to make adjustments to a cloud ERP to account for security risks after you go live. What’s more, applying fixes once your cloud ERP launches can impact functionality and efficiency, and also create unnecessary security risks.

2. Take a layered approach: A key to securing your cloud ERP is to have layers of security, even if they may seem redundant. This multi-layer approach – often referred to as defense in depth – ensures that if and when an area or business unit is successfully breached, damage will be mitigated because controls and security measures in other areas will detect and contain the breach.

3. Automate whenever possible: Review your controls, solutions and application security, automate the access authorization/approval process (e.g., when system users change jobs), and implement a strict SoD process. Also, as much as possible, have authorizations/approvals take place within the cloud ERP system; verbal or email authorizations increase the likelihood that an internal control weakness, cyber breach, or internal fraud will occur or go undetected.

4. Don’t overlook on-premises ERP threats: Even when you move your ERP to the cloud, you will likely still have an on-premises ERP footprint. For example, you may have on-premises integration points with third party vendors, healthcare providers, or banks. So your cloud ERP security and controls need to account for these potential risks and include processes for addressing them.

5. Monitor regularly: The cloud landscape is changing rapidly and new technologies (and risks) are constantly being introduced. You can have all the right controls and processes in place for today, but that might not be enough in six months. That’s why it’s a leading practice to have a knowledgeable internal audit team or third-party auditors frequently review your cloud ERP program. They’ll come in and test controls, look for deviations from your processes, and run analytics to determine if your system is working effectively, is up-to-date, and/or where it can be improved.

6. Work within your budget limitations: You simply may not be able to allocate five to 10 percent of your cloud ERP implementation budget to security and controls. What then? Create a roadmap that prioritizes the areas that are most important to you and most vulnerable to cybercrime or fraud. For many industries, this is revenue or inventory, but it can vary within each organization. Address two or three of the top areas prior to implementation, and then roll out additional protections in the future as funding becomes available. This piecemeal approach is not the best way to handle cloud ERP implementation, but it may be the best approach under the circumstances.



Final thoughts: hindsight is 20-20An investment in mitigating cloud ERP risk through robust security and controls is like buying insurance. No one likes spending money on insurance; it’s costly and you may never actually use it. But when catastrophe strikes, you’re glad you have it, and the premiums you paid seem well worth it.

Cloud-based ERPs offer the potential to boost performance and operational efficiencies, and businesses are more than willing to spend money on enabling these capabilities. But they also have to be aware of the risks that can be created and take the necessary steps – and allocate adequate resources – to secure their cloud ERP.




Why clients choose KPMGOur dedicated, experienced professionals, together with our commitment to innovative technology, have made us a go-to player for organizations looking for help or support with technical, advisory, or compliance matters involving cloud-based ERPs.

We’re a global network of professional services firms operating in 153 countries, collectively employing more than 207,000 people working in member firms around the world. We can work with you to design and implement a cloud-based ERP system that’s appropriate for your current needs and can be expanded to work for you in the future as you grow.

But don’t just take our word for it.

The Forrester Wave Report stated that KPMG is a leader among security consulting service providers, and awarded us the highest score of any company it evaluated. It added that we provide “high value consultants with operational experience who have deeper insights on the day-to-day battles clients fight.”

Further, according to Forrester, our acquisition of the Identity and Access Management (IAM) business of Cyberinc, “enhances KPMG’s existing capabilities as a leader in information security consulting services and expands the firm’s ability to provide clients with emerging and more agile IAM solutions.”

Driving business value for clients is at the core of the KPMG and Oracle strategic relationship. As an Oracle Platinum partner, KPMG is one or Oracle’s leading Cloud partners. We’ve been recognized with a Cloud Elite designation in the Oracle PartnerNetwork (OPN) Cloud Program, have multiple Cloud Excellence Implementer (CEI) badges and have won 25 Oracle Cloud Awards over the past three years. In addition, we have attained 25 Oracle specializations, including Oracle Enterprise Resource Planning (ERP) Cloud, Oracle Human Capital Management (HCM) Cloud, and Oracle Enterprise Performance Management (EPM).

Connect with us and let us demonstrate how we can help you and your business.

Organizations should look to KPMG when they need help with technical, advisory, or compliance engagements.

– Forrester Wave report, 2017



About the authors Laeeq Ahmed: Laeeq is the leader of KPMG’s Oracle Security and Controls Service Network. For more than 25 years, he’s helped U.S. and international clients formulate and implement cloud-based enterprise resource planning (ERP) systems. He’s provided technology-based governance, risk management and compliance solutions to clients in multiple industries, including financial services, media & technology, industrials, aerospace & defense, pharmaceuticals, consumer & retail, and public sector entities.

Nicholas Seeman: As a Managing Director in KPMG’s Risk Consulting practice, Nick specializes in GRC, IT Processes and Controls, Oracle Cloud ERP and HCM, PeopleSoft HCM & Financials, Oracle EBS, PeopleSoft and Oracle Technology Security. With more than 14 years of combined IT Advisory and IT business experience, he assists clients across a variety of industries, including power & utilities, healthcare and manufacturing, in enhancing security and operational efficiency through the use of application controls and security models, data privacy controls, and user access management processes.




The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.


Laeeq AhmedKPMG Oracle Risk Consulting Leader T: 818-227-6032 E: [email protected]

Nicholas SeemanManaging Director, GRC TechnologyT: 214-840-4581 E: [email protected]

Contact us

kpmg.com/socialmedia

Some or all of the services described herein may not be permissible for audit clients and their affiliates or related entities.



https://instagram.com/kpmgus



















https://twitter.com/kpmg_us



















http://www.linkedin.com/company/kpmg-us



















https://www.facebook.com/KPMGUS/



















http://www.youtube.com/user/KPMGMediaChannel












































































https://plus.google.com/+KPMGUSA/posts

























































securing your erp journey to the cloud - kpmg · securing your erp journey to the cloud kpmg.com a...

Documents