Supply Chain and Master Data Decisions in ERP

supply chain and master data

Blog Written By | ERPFocus

ERP and Supply Chain: Master Data Decisions

It is often surprising for a supply chain team to see how much master data they create and maintain when its collected and organized in one place. Because ERP generally provides increased functionality, there is also usually additional master data required to use that functionality. Without attempting to examine every master data field in ERP, discussed below are three broad areas that hopefully help you to start thinking about supply chain master data issues.

1.  Data ownership when there is overlapping responsibility

An easy example of this category is the bill of materials. Many functional areas depend on the information in the bill of materials: finance for product costing, the supply chain for material demands, engineering for spec sheets or blueprints, and development for new product adoption. Which of these functional areas should have the ultimate authority over the numbers and relationships in the bill of materials? Typically, in legacy, every functional area created their own version of a BOM, because every functional area had a different agenda which marginally affected the data. Costing wanted numbers that reflected the lowest possible product cost; the supply chain wanted higher numbers to ensure they never ran short of anything. The best candidate for ownership of this type of data is the one with the least agenda, such as development. The paradox is because they have no agenda, they have no real passion for accurately maintaining the data.

2.  Yields and tolerances

This tends to be a greater issue in process manufacturing than discrete, but it needs reasonable consideration in both types of industries. In this context, “yield” is referring to the calculated expectation of how much first quality product will be produced on average from a fixed amount of components. “Tolerances”, in this context, refer to how much over or short you can be in filling an order, and still be of value to the customer. These two data pieces work in tandem as a hedge against manufacturing variation to determine how consistently you can satisfy customer expectations.

3.  Computing rules

These are shorthand codes that tell the MRP portion of ERP how to behave. Each rule is generally understandable on a stand-alone basis, but as the rules begin influencing each other, the results – while always logical – can be complex, unexpected, and unwanted. These computing rules involve everything from how to treat safety stock inventory to whether a material is purchased or manufactured to whether a material is make-to-order or make-to-stock. To master these rules generally involves experimentation, rather than intuiting the setup based on the written explanations.

To the maximum extent possible, assign informed people to figure out how to set up supply chain master data as soon as legitimate testing can occur. These people don’t have to own master data forever, they just need to discover and document what the right settings are. In the supply chain, master data has almost as big an impact on ERP performance as the configuration does.

Cloud computing threats – How to stop them?

cloud computing

Blog Written by| TechRepublic

How to prevent the top 11 threats in cloud computing

The latest risks involved in cloud computing point to problems related to configuration and authentication rather than the traditional focus on malware and vulnerabilities, according to a new Cloud Security Alliance report.

Using the cloud to host your business’s data, applications, and other assets offer several benefits in terms of management, access, and scalability. But the cloud also presents certain security risks. Traditionally, those risks have centered on areas such as the denial of service, data loss, malware, and system vulnerabilities. A report released by Cloud Security Alliance argues that the latest threats in cloud security have now shifted to decisions made around cloud strategy and implementation.

Based on a survey of 241 industry experts on security issues in the cloud industry, the CSA’s report Top Threats to Cloud Computing: The Egregious 11 focused on 11 notable threats, risks, and vulnerabilities in cloud environments. For each threat described, the report highlights the business impact, specific examples, and recommendations in the form of key takeaways.

1.  Data breaches

A data breach can be any cybersecurity incident or attack in which sensitive or confidential information is viewed, stolen, or used by an unauthorized individual.

Business Impact

  • Data breaches can damage a company’s reputation and foster mistrust from customers and partners.
  • A breach can lead to the loss of intellectual property (IP) to competitors, impacting the release of a new product.
  • Regulatory implications may result in financial loss.
  • The impact on a company’s brand may occur as a result of incident response and forensics.

Key Takeaways and Recommendations

  • Defining the business value of data and the impact of its loss is essential for organizations that own or process data.
  • Protecting data is evolving into a question of who has access to it.
  • Data accessible via the Internet is the most vulnerable asset for misconfiguration or exploitation.
  • Encryption techniques can protect data but can also hamper system performance and make applications less user-friendly.
  • A robust and well-tested incident response plan that considers the cloud provider and data privacy laws can help data breach victims recover.

2.  Misconfiguration and inadequate change control

Misconfiguration occurs when computing assets are set up incorrectly, leaving them vulnerable to malicious activity. Some examples of misconfiguration include unsecured data storage elements or containers, excessive permissions, unchanged default credentials, and configuration settings, standard security controls left disabled, unpatched systems and logging or monitoring left disabled, and unrestricted access ports and services.

Business Impact

The business impact depends on the nature of the misconfiguration, and how quickly it is detected and resolved. The most common issue is the exposure of data stored in cloud repositories.

Key Takeaways and Recommendations

  • As cloud-based resources can be complex and dynamic, they can prove challenging to configure.
  • Traditional controls and approaches for change management are not effective in the cloud.
  • Companies should embrace automation and use technologies that continuously scan for misconfigured resources and remediate problems in real-time.

3.  Lack of cloud and security architecture and strategy

As companies migrate parts of their IT infrastructure to the public cloud, one of the larges challenges is implementing the proper security to guard cyber attacks. Assuming that you can just “lift and shift” your existing, internal IT stack and security controls to the cloud can be a mistake.

Business Impact

Proper security architecture and strategy are required for securely moving, deploying, and operating in the cloud. Successful cyberattacks due to weak security can lead to financial loss, reputational damage, legal repercussions, and fines.

Key Takeaways and Recommendations

  • Make sure that security architecture aligns with your business goals and objectives.
  • Develop and implement a security architecture framework.
  • Ensure that the threat model is kept up to date.
  • Bring continuous visibility into the actual security posture.

4.  Insufficient identity, credential, access, and key management

Security incidents and breaches can occur due to the inadequate protection of credentials, a lack of regular automation rotation of cryptographic keys and passwords, a lack of scalable identity and credential management systems, a failure to use multifactor authentications, and a failure to use strong passwords.

Business Impact

Insufficient identity, credential, or key management can enable unauthorized access to data. As a result, malicious actors masquerading as legitimate users can read, modify, and delete data. Hackers can also issue control plane and management functions, snoop on data in transit and release malware that appears to come from a legitimate source.

Key Takeaways and Recommendations

  • Secure accounts that are inclusive to two-factor authentication and limit the use of root accounts.
  • Practice the strictest identity and access controls for cloud users and identities.
  • Segregate and segment accounts, virtual private clouds (VPCs), and identity groups based on business needs and the principle of least privilege.
  • Rotate keys, remove unused credentials and privileges, employ central and programmatic key management.

5.  Account hijacking

Through account hijacking, attackers gain access to and abuse accounts that are highly privileged or sensitive. In cloud environments, the accounts at greatest risk are cloud service accounts or subscriptions.

Business Impact

  • As account hijacking implies full compromise and control of an account, business logic, function, data, and applications reliant on the account can all be at risk.
  • The fallout from account hijacking can be severe. Some recent breach cases lead to significant operational and business disruptions, including the complete elimination of assets, data, and capabilities.
  • Account hijacking can trigger data leaks that lead to reputational damage, brand value degradation, legal liability exposure, and sensitive personal and business information disclosures.

Key Takeaways and Recommendations

  • Account hijacking is a threat that must be taken seriously.
  • Defense-in-depth and IAM controls are key in mitigating account hijacking.

6.  Insider threats

Insiders don’t have to break through firewalls, virtual private networks (VPNs), and other security defenses and instead operate on a trusted level where they can directly access networks, computer systems, and sensitive data.

Business Impact

  • Insider threats can result in the loss of proprietary information and intellectual property.
  • System downtime associated with insider attacks can impact company productivity.
  • Data loss can reduce confidence in company services.
  • Dealing with insider security incidents requires containment, remediation, incident response, investigation, post-incidence analysis, escalation, monitoring, and surveillance, all of which can add to a company’s workload and security budget.

Key Takeaways and Recommendations

  • Take measures to minimize insider negligence to mitigate the consequences of insider threats.
  • Provide training to your security teams to properly install, configure, and monitor your computer systems, networks, mobile devices, and backup devices.
  • Provide training to your regular employees to inform them how to handle security risks, such as phishing and protecting corporate data they carry outside the company on laptops and mobile devices.
  • Require strong passwords and frequent password updates.
  • Inform employees of repercussions related to engaging in malicious activity.
  • Routinely audit servers in the cloud and on-premises, and then correct any changes from the secure baseline set across the organization.
  • Make sure that privileged access security systems and central servers are limited to a minimum number of employees, and that these individuals include only those with the training to handle the administration of mission-critical computer servers.
  • Monitor access to all computer servers at any privileged level.

7.  Insecure interfaces and APIs

APIs (Application Programming Interfaces) and UIs (User Interfaces) are typically the most exposed parts of the system, often the only asset with a public IP address available outside the trusted boundary. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent security.

Business Impact

Though most cloud providers try to integrate security into their models, cloud customers must also understand the security implications. A weak set of interfaces and APIs exposes organizations to various security issues related to confidentiality, integrity, availability, and accountability.

Key Takeaways and Recommendations

  • Practice good AI hygiene. This includes the diligent oversight of items such as inventory, testing, auditing, and abnormal activity protections.
  • Ensure the proper protection of API keys and avoid reuse.
  • Consider using standard and open API frameworks (e.g. Open Cloud Computing Interface (OCCI) and Cloud Infrastructure Management Interface (CIMI)).

8.  Weak control plane

The control plane enables security and integrity to complement the data plane, which provides the stability of the data. A weak control plane means the person in charge is not in full control of the data infrastructure’s logic, security, and verification.

Business Impact

  • A weak control plane could result in data loss, either by theft or corruption. Regulatory punishment for data loss may be incurred as well.
  • With a weak control plane, users may also be unable to protect their cloud-based business data and applications.

Key Takeaways and Recommendations

  • Adequate security controls provided through a cloud provider are necessary so that cloud customers can fulfill their legal and statutory obligations.
  • Cloud customers should perform due diligence and determine if the cloud service they intend to use possesses an adequate control plane.

9.  Metastructure and applistructure failures

Potential failures exist at multiple levels in the metastructure and applistructure model. For example, poor API implementation by the cloud provider offers attackers an opportunity to disrupt cloud customers by interrupting confidentiality, integrity, or availability of the service.

Business Impact

Metastructure and applistructure are critical components of a cloud service. Failures involving these features at the cloud provider level can severely impact all service consumers. At the same time, misconfigurations by the customer could disrupt the user financially and operationally.

Key Takeaways and Recommendations

  • Cloud providers must offer visibility and expose mitigations to counteract the cloud’s inherent lack of transparency for customers.
  • Cloud customers should implement appropriate features and controls in cloud native designs.
  • All cloud providers should conduct penetration testing and provide findings to customers.

10.  Limited cloud usage visibility

Limited cloud usage visibility occurs when an organization does not have the ability to visualize and analyze whether cloud service use within the organization is safe or malicious.

Business Impact

  • Lack of governance. When employees are unfamiliar with proper access and governance controls, sensitive corporate data can be placed in public access locations vs. private access locations.
  • Lack of awareness. When data and services are in use without the knowledge of the company, they are unable to control their IP. That means the employee has the data, not the company.
  • Lack of security. When an employee incorrectly sets up a cloud service, it can become exploitable not only for the data that resides on it but for future data. Malware, botnets, cryptocurrency mining malware, and more can compromise cloud containers, putting organizational data, services, and finances at risk.

Key Takeaways and Recommendations

  • Mitigating these risks starts with the development of a complete cloud visibility effort from the top down. This process usually starts with creating a comprehensive solution that ties into people, process, and technology.
  • Mandate company-wide training on accepted cloud usage policies and enforcement.
  • All non-approved cloud services should be reviewed and approved by the cloud security architect or third-party risk management.
  • Invest in solutions like cloud access security brokers (CASB) or software-defined gateway (SDG) to analyze outbound activities and help discover cloud usage, at-risk users, and to follow the behavior of credentialed employees to identify anomalies.
  • Invest in a web application firewall (WAF) to analyze all inbound connections to your cloud services for suspicious trends, malware, distributed denial-of-service (DDoS) and Botnet risks.
  • Select solutions that are specifically designed to monitor and control all of your key enterprise cloud applications (enterprise resource planning, human capital management, commerce experience, and supply chain management) and ensure suspicious behaviors can be mitigated.
  • Implement a zero-trust model across your organization.

11.  Abuse and nefarious use of cloud services

Malicious actors may leverage cloud computing resources to target users, organizations, or other cloud providers, and can also host malware on cloud services. Some examples of the misuse of cloud resources include: launching DDoS attacks, email spam and phishing campaigns, “mining” for digital currency, large-scale automated click fraud, brute-force attacks on stolen credential databases, and hosting of malicious or pirated content.

Business Impact

  • If an attacker has compromised the management plane of a customer’s cloud infrastructure, the attacker can use the cloud service for illicit purposes while the customer foots the bill. The bill could be substantial if the attacker consumed substantial resources, such as mining cryptocurrency.
  • Attackers can also use the cloud to store and propagate malware. Enterprises must have controls in place to deal with these new attack vectors. This may mean procuring security technology that can monitor cloud infrastructure or API calls from and to the cloud service.

Key Takeaways and Recommendations

  • Enterprises should monitor their employees in the cloud, as traditional mechanisms are unable to mitigate the risks posed by cloud service usage.
  • Employ cloud data loss and prevention (DLP) technologies to monitor and stop any unauthorized data exfiltration.

Multi-cloud deployment: What is it & how can businesses benefit

multi-cloud deployment

This comprehensive guide covers the use of services from multiple cloud vendors, including the benefits businesses gain and the challenges IT teams face when using multi-cloud.

Cloud services from AWS, Microsoft, Google have increased in popularity over the last decade. As a result, organizations are utilizing cloud services from multiple vendors, leading to the aptly-names paradigm of multi-cloud. TechRepublic released a cheat sheet on how to navigate through the multi-cloud era and what it means for your business.

Executive Summary

  • What is multi-cloud? Multi-cloud is the practice of using cloud services from multiple heterogeneous cloud services, as well as specialized platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS) providers. Multi-cloud also includes private clouds and hybrid clouds with multiple public cloud components.
  • What advantages do multi-cloud deployments offer? Multi-cloud is about enabling choice – to be able to pick and choose components from multiple vendors – allowing organizations and application developers to use the best fit for their intended purpose.
  • Should my business use a multi-cloud approach? Generally, a multi-cloud deployment will be useful for organizations that have specific needs or dependencies to satisfy.
  • How popular is multi-cloud? This is happening on a case-by-case basis. As organizations outgrow the capabilities of their cloud service providers, services from additional vendors may be needed.
  • How do I build a multi-cloud deployment? A multi-cloud deployment should be carefully planned to avoid interoperability issues. The use of cloud management platforms is recommended.

What is multi-cloud?

Multi-cloud refers to the practice of using services from multiple heterogeneous cloud service providers, including AWS, Google Cloud Platform, or Microsoft Azure, as well as specialized platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS) providers. Multi-cloud also comprises the use of private cloud environments and hybrid cloud environments that leverage more than one public cloud platform.

As an architectural choice, multi-cloud can be used for a variety of reasons – the most obvious one is disaster recovery: While cloud vendors offer a variety of options and SLAs for redundancy to guarantee uptime and backups to ensure data integrity, both of these rely on the supposition that the vendor’s entire infrastructure does not fail at once.

While most workloads can be built to be vendor-neutral (this flexibility is a primary benefit of multi-cloud), some workloads may benefit from using specific cloud platforms. Roughly one-third of the IT professionals surveyed in the TechRepublic Premium’s Managing the multi-cloud survey indicated their organization uses a specialized application or solution provider, such as Google Drive, Cloudfare, etc. These are closer to services than they are cloud platforms – while there is feature duplication between these similar companies as with public cloud, these products do not support general compute workloads commonly associated with cloud computing.

What advantages do multi-cloud deployments offer?

Multi-cloud’s main advantage is that organizations and application developers can pick and choose components from multiple vendors and use the best fit for their intended purpose. To draw a comparison, multi-cloud is more á la carte than d’hôte.

For organizations with an outsized dependency on the Windows ecosystem, leveraging some Microsoft Azure services may be beneficial, while the same organization may use Google Cloud for machine learning and analytics and/or Amazon for public-facing web services.

Another benefit of multi-cloud deployments is cost savings. Competitive pricing is a strategy used by multiple vendors to entice customers to migrate from a traditional, on-premises data center to a hybrid or public cloud model. There is an important caveat to this approach: The time required to create integrations between clouds, with cost savings as a primary motivator, can be counterproductive, as developing those integrations can cost more than savings they would produce.

Should my business use a multi-cloud approach?

Generally, a multi-cloud deployment will be useful for organizations that have specific needs or dependencies to satisfy, such as integrations of Internet of Things (IoT) devices, or reliance on Windows software or specific third-party solutions. Multi-cloud offers a great deal of flexibility in how resources are managed, though the difficulty increases roughly exponentially with the number of integrations added. Cloud management platforms can be used to ease the deployment and integration of various cloud services.

Presently, cloud providers are not engaging in vendor lock-in – putting up barriers to interoperability, or hampering migration to a different provider – although customer retention is expected to become an increasing concern as cloud services are commoditized.

According to Carson Sweet, CTO of cloud security firm CloudPassage, “Retention in most of the major providers is achieved by crafting a value proposition that entices users to use more services on a broader scale. The idea now is to get customers to the point of being ‘all-in’ of the customer’s own volition….buyers have largely evolved well beyond getting ‘tricked’ into lock-in.”

How popular is multi-cloud?

Multi-cloud is continuing to gain popularity as competitors to AWS have appeared, and particularly as specialized cloud technology vendors and service vendors have gained traction.

As organizations grow, it may be the case that needs for individual teams or projects are not met by their existing cloud provider, likewise,  for mergers and acquisitions, not all business operations can be easily migrated to the cloud infrastructure of the acquiring company. These are optimal cases for adding a secondary public cloud provider for a multi-cloud deployment.

How do I build a multi-cloud deployment?

Migrating to a multi-cloud deployment is not a decision that should be entered into lightly. While the proliferation of open-source software has greatly decreased issues with vendor lock-in, the potential for interoperability problems to occur still exists. Cloud management platforms can be used to avoid potential issues with common configurations, though some corner cases can hamper successful deployment. Particularly, as vendor-specific APIs are somewhat opaque and not necessarily static, the ability to launch a multi-cloud deployment can be complicated by mutual incompatibilities.

Check out TechRepublic for additional resources on cloud development and how it is changing the industry.

Resource Credit | TechRepublic

Allonline365 Newsletter

* indicates required
Business Software News
Call Now Button