Seattle, WA – January 11, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today released the findings from the first research survey on “Enterprise Resource Planning (ERP) Applications and Cloud Adoption.” The study offers greater insight into cloud preparation and migration, the features and benefits gained, and the security and privacy challenges for ERP systems in a cloud environment.

According to the survey, 69 percent of organizations are migrating data for popular ERP cloud applications to the cloud, moving to major cloud infrastructure-as-a-service providers, with the overwhelming majority, almost 90 percent, stating that these applications are business-critical.

In line with the top three migration concerns - moving sensitive data followed by security and compliance - the research finds that attackers are evolving, too. Over half of the survey respondents stated that they expect security incidents in the cloud to increase in the next year.

Yet, when it comes to accountability, there are troubling misconceptions: While 60 percent of survey respondents claim that they feel the cloud service provider is responsible for a breach, 77 percent believe that it is the responsibility of the organization itself actually to secure their ERP applications. Third-parties are held least accountable and responsible. This perception gap shows that organizations need to take more ownership of their business-critical applications while migrating them to the cloud.

“The cloud computing ecosystem is maturing rapidly and business-critical applications, such as ERP solutions, are being moved to cloud environments. With this shift, organizations are starting to explore the question of whether a cloud environment might alleviate traditional challenges that business-critical applications normally face,” said John Yeoh, Director of Research, Americas for the Cloud Security Alliance. “As moving to the cloud raises its own security and privacy challenges, we wanted to provide some benchmarks regarding the myriad issues surrounding cloud migration and security.”

The study, which was sponsored by Onapsis, a leader in business-critical application security, surveyed 199 managers, C-level executives, and staff from enterprises in the Americas (49%), APAC (26%) and EMEA (25%).

“In any cloud migration, regardless of the provider, security must be implemented from the start and implemented in phases throughout the project. Organizations are concerned about moving sensitive data across environments, then addressing the security and compliance implications that come of that migration. Our studies have found that implementing security in each phase of the migration could save customers over five times of their implementation costs,” stated Juan Pablo Perez-Etchegoyen, CTO of Onapsis and Chair of the CSA ERP Security Working Group.

Among the survey’s other key findings:

  • Americas (73%) and APAC (73%) were more likely to report that they were currently migrating business-critical applications to the cloud than those in EMEA, where regulations such as the European Union General Data Protection Regulation (GDPR) impacted organizational plans for technology purchases, cloud services, and third-party policies.
  • Companies are taking added measures to protect their ERP applications in the cloud, including identity and access controls (68%), firewalls (63%), and vulnerability assessment (62%).
  • On-premise models (61%) are employed most commonly, with cloud SaaS (41%), cloud IaaS (23%) and cloud PaaS (17%) following.
  • Listed among the benefits of moving to the cloud were scalability with new technologies (65%), lower cost of ownership (61%) and security patching and updating by the provider (49%). Barriers listed were moving of sensitive data (65%), security (59%), and compliance challenges (54%).

Read the full results of “ERP Applications and Cloud Adoption.” The survey comes as a follow-up to the February report “The State of Enterprise Resource Planning Security in the Cloud.”

CSA research prides itself on vendor neutrality, agility, and integrity of results. Sponsors are CSA Corporate Members who support the findings of the research project but have no added influence on the content development or editing rights of CSA research.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.