Over the past 5 years, Senior ERP managers will have observed a trend away from on-premise in lieu of cloud-based solutions. This trend is evidenced by the growth of pure SaaS ERP such as Kenandy, FinancialForce, and Netsuite compared to that of on-premise suites such as Oracle EBS, Oracle PeopleSoft, and SAP. This migration has profound effects on the ERP market, attracting new vendors with a cloud naissance while simultaneously pushing the traditional tier one providers to offer SaaS.
The senior ERP manager must cope with some tension as the business side of their organization usurps the traditional role of information technology departments in selecting cloud-based solutions. At the forefront of this tension is the question of data security, and this question will determine the vector of the trend toward cloud-based ERP. Anticipate a slow-down in the adoption of multi-tenant cloud applications over the next five years due to what will be growing concerns over cyber security in the cloud - especially as we approach the horizon of quantum computing.
For the overall market, expect SAP and Oracle to maintain their tier one positions. ERP is a slow-moving market, and some large-scale ERP customers will continue to approach the cloud with caution ceteris paribus. The advent of working quantum computers, which render obsolete all current public encryption algorithms, will alarm any executive required to attest to their firm’s data controls. As a result, firms will attribute greater weight to their own internal physical security controls. This weighting will push firms toward either on-premise solutions or, at least, towards ERP vendors with proven on-premise expertise.
Customers should take note of a couple areas where reality differs from even well-informed perception. It is perception that will dictate, following the first whispers of an ERP data breach (quantum or not) in the public cloud, that the cloud itself is volatile and that on-premise options were, and always will be, safer. Actual comparisons of a company’s internal data center, especially that of an SMB, to data centers belonging to vendors in the public cloud will show a different picture. Although not immediately intuitive, it does stand to some reason that cloud vendors would provide the safest haven in terms of both physical and electronic data security. It is among their core competencies to do so. Also, quantum decryption exploits the same holes in the firm’s internal data security as those provided by cloud providers, so that on-premise marginal safety may be illusory.
To more smoothly sail, or even buck completely a security-driven anti-cloud trend, pure SaaS vendors vying for tier one should begin immediately to research and implement standards such as those in the NSA’s Commercial National Security Algorithm Sheet. This and other sources such as NIST FIPS Pub 1040-2 provide guidance in how to resist quantum decryption. Software vendors should do this and do it as publically as possible.
Senior ERP managers will serve themselves by taking the following immediate actions.
They should meet with their CISO and review the firm’s position on data security in the cloud. In particular, they should make sure the firm has codified a security policy that addresses quantum decryption. With such a policy in place, Senior ERP managers must evaluate current and prospective ERP vendors through this lens.
In the process, the senior ERP manager should take note of those ERP players who have stayed ahead of quantum decryption risks. It should be relatively easy to identify those who are prepared. They will be the ones advertising it. They will be the ones publishing white-papers.
Lastly, but almost certainly in the event of a public data breach, the Senior ERP manager will need to steel themselves against what may seem a rush from cloud toward on-premise. On-premise will seem safer to some, but the facts often do not support this conclusion. The senior ERP manager may have to manage a struggle between perception and reality when it comes to comparing the firm’s own data security with that of the public cloud. They should rehearse their response, and craft it in advance.