How to secure mission critical hybrid ERP applications

With ERP vendors prioritising cloud licensing, Onapsis security solutions for critical applications are moving to the forefront with channel partners.

All cybersecurity professionals agree that you are only as secure as your weakest link. ERP systems, by nature of their need for continuous uptime, see delays of months and years on patching critical vulnerabilities. Outside systems are left to fill the gap, but penetrate the shield and the ERP system is a ripe target, often with few signs of it having been breached. These systems are at core of what run the business. Compromise them and businesses will cease to function.

Everyone wants a single plane of glass, and Onapsis supports that in instances, while analysing results or responding to active threats. The primary interface is through a web-based console, and Onapsis has further connectors with a variety of third-party tools. The Onapsis Platform is scalable and flexible. It can deploy in any combination of private, public, or hybrid models, even distributed among different cloud solutions.

This works because Onapsis has models that leverage local clients or zero-footprint API calls. Sensors collect and analyse data from the ERP system, removing the security load from the ERP processing stack. The console lets you set policy, view results, and integrate with third party systems like SIEMs and ServiceNow. Onapsis only require TCP connections between the ERP system, sensors, and console.

Onapsis threat database is SaaS-based with intelligence from Onapsis Research Labs group, responsible for finding over 800 critical and zero-day vulnerabilities in SAP and Oracle. Onapsis sends updated signatures to clients, and their consoles automatically look for vulnerabilities or exploits in action. Similarly, customers apply compliance module checks based on library and custom queries in response to their auditors’ needs. Once in place, the work primarily shifts to finding compliance failures.

ERP platforms state, amongst its terms of service, that you as a customer are responsible for application security on top of their platform. ERP service providers build and maintain an excellent foundation, but you are responsible for the house on top of that foundation. If someone finds a window you left open or a door your left unlocked, that is on you, not the ERP provider.

Cyber insurance is unlikely to pay out in those instances as their terms disqualify coverage for an unpatched vulnerability. That is quite common in ERP systems where patch frequency is six months or greater.

The question therefore is what are the gains of operating in the cloud using Onapsis?

Onapsis offers insights on both sides: open vulnerabilities and exploits in action. Onapsis shows source code that makes an enterprise less secure and exposes system changes that weaken their security position. Inside the cloud arena, there is a big move to specialisation in cloud offerings. Onapsis has offerings that work in a number of the private cloud solutions. Onapsis has customers in HANA Enterprise Cloud, for example. Onapsis engineering team is actively engaged in building support for a number of environments because Onapsis recognise that ERP is becoming increasingly dependent on cloud services.

Partner programme

The Onapsis nCase Partner Programme is based on a four-pillar global strategy that encompasses system integrators, managed security service providers, technology alliance partners and value-added resellers. Onapsis offers business-critical application security and compliance solution.

As a member of the Onapsis nCase Partner Programme, partners benefit from access to specialised knowledge base, expertise and insight into ERP security best practices. In turn, this makes Onapsis partners qualified to help customers analyse security and compliance programmes within their customer’s critical infrastructure.

When Darren Gaeta, Vice President of World Wide Alliances and Channels at Onapsis, joined in November of 2018, the organisation had a rudimentary channel programme with system integrators including Deloitte, PwC and IBM. Darren primary objective was on expanding the programme, utilising a four-pillar approach. Darren built the programme focusing on adding VARs, system integrators, MSSP’s, and technology alliances.

Gaeta leveraged past relationships including Accenture, Deloitte, PwC, IBM, Protiviti, Optiv, Guidepoint, and Deepwatch. These relationships have added to Onapsis’ go-to-market sell out channels.

The revamp of the partner programme makes it easier for partners to work with Onapsis. Onapsis has launched a registration platform to simplify registering and approving prospective customer deals. Onapsis has introduced a global partner portal with exclusive access to sales and technical training, as well as branding and lead generation programmes. Onapsis has developed a specialised knowledge base, with expert advice, educational resources, and insight into security best practices, including actionable information about key compliance issues that need to be addressed during ERP migrations.

In the past year, Onapsis nCase Partner Programme has reached nearly $5 Million in revenue for selected partners. The Onapsis Partner Programme has also reached global status, expanding beyond North America into EMEA and the Benelux region. Inside the region, Spectrami is Onapsis’ value added distributor and follows the same global partner programme inside the region as well.

Benefits of Onapsis nCase Partner Programme