Press Release

Onapsis and Cloud Security Alliance Establish ERP Security Working Group to Securely Migrate SAP and Oracle to the Cloud

Boston, MA – July 20, 2017 – Recognized as one of the top threats to Global 2000 organizations, the security of business-critical applications such as SAP and Oracle is still an emerging space where standards have yet to coalesce. This becomes an even greater issue as these applications are moved to the cloud. To fill this gap, Onapsis, the global experts in SAP and Oracle business-critical application cybersecurity and compliance, and the Cloud Security Alliance (CSA) have established the Enterprise Resource Planning (ERP) Security Working Group. CISOs and experts from IBM, Deloitte and other technology leaders will help lead the initiative.

Business-critical ERP applications, such as SAP and Oracle, are an obvious attack target for cyber hackers as they store an organization’s mission-critical data. In addition, these systems are very complex, often having been implemented with customizations that map to specific business processes as outlined by an organization. However, securing the migration of these ERP systems to the cloud is currently a process in which there is not a true set of standards for organizations to follow. Every ERP deployment is unique to each organization, making standard security measures more difficult to implement due to the differences of each deployment. As a result, the industry is at a point where it is imperative that leading practices be established for securing ERP applications in the cloud.

The charter of the CSA ERP Security Working Group seeks to develop leading practices that can enable organizations with large ERP environments to securely migrate these applications to the cloud environment. In addition, these leading practices can allow business applications such as SAP and Oracle to remain secure and compliant while operating in the cloud. These leading practices will largely focus on how organizations can define Service Level Agreements (SLAs) with cloud service providers to understand where the division of responsibility lies for implementing security, providing reports, and determining what security offerings are guaranteed by the cloud service provider.

“Having security standards in place is an important component for any cloud security ecosystem, and is necessary in order to accelerate the adoption of critical business applications to the cloud. We’re looking forward to collaborating with some of the most well-respected and knowledgeable security professionals to set the benchmark and create a win for vendors, partners and users,” said Jim Reavis, CEO, CSA.

“ERP is the next wave of application security and has been a blind spot for many Fortune 500 organizations who are looking for guidance and best practices as they make major decisions about moving their business critical applications to the cloud,” Mariano Nunez, CEO, Onapsis. “As a lead research pioneer in this emerging space, we are excited to co-lead this initiative with CSA to bring together the ecosystem necessary to accelerate and ease adoption of ERP business-critical applications in the cloud.”

“Enterprises and governments are struggling with the challenge of how to manage their cyber risks as they move their business processes and data to the cloud. This initiative to establish an ERP security working group to help develop cloud cybersecurity guidelines will enable organizations migrate securely and provide continued security from implementation to ongoing management,” said Charlie Singh, Associate Partner, IBM Security.

“It is not a simple ‘lift and shift’ of existing approaches and controls, moving these applications to the cloud requires an entirely new approach,” said Adrian Lane, CTO, Securosis.

The CSA ERP Security Working Group charter includes the following reference materials kicking-off this quarter:

  • Q3 2017 Whitepaper on state of ERP Cloud Security
  • Q4 2017 Guidance for SLAs regarding ERP migration
  • Q1 2018 Mapping and Guidance for CSA controls to ERP business application environments
  • Q2 2018: RSAC 2018 CSA Summit Presentation and Working Group Meeting

Participation is open to all qualified experts. To participate contact Onapsis at [email protected] or [email protected] list or visit

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the “Security Guidance for Critical Areas of Focus in Cloud Computing”, the “Cloud Controls Matrix”, “Top Threats to Cloud Computing” and 50 other cloud security research artifacts. For further information, visit us at

About Onapsis

Onapsis cybersecurity solutions automate the monitoring and protection of your SAP applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.

For more information, please visit, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners. Please see for a detailed description of Deloitte’s legal structure.

Media contacts:

Leslie Kesselring, Kesselring Communications


[email protected]


Kari Walker for the CSA

ZAG Communications


[email protected]