CTO at ERP Maestro
Unclouding the misconceptions: Cloud-based Vs. Cloud-hosted
With organizational fraud becoming ubiquitous and audit season fast approaching, companies are actively seeking automated solutions for managing internal controls. Those who still opt for manual processes to determine segregation of duties (SOD) conflicts are falling behind the curve. Recent studies, including ERP Maestro’s ASUG survey report, all point to the fact that automation minimizes GRC challenges.
However, despite the efficiency, effectiveness and risk-reducing benefits, why are some companies still slow to adopt automation?
For those seeking an automated solution, cloud is the way to go when it comes to access control management, but “cloud” has mixed connotations that aren’t always clear. Many solutions are cloud-hosted (often referred to as cloud-enabled) versus cloud-based. What’s the difference, and how can organizations ensure they are getting the true value of the cloud?
What’s in a name?
Everything, really, when it comes to cloud. While on the surface cloud-based and cloud-hosted might sound similar, they are very different. Both cloud-based and cloud-hosted are deployed in a cloud environment, but that environment varies and helps differentiate between the two. A cloud-based application is what is also known as native-cloud and is hosted in a cloud services platform, such as Amazon Web Services (AWS), Microsoft Azure, etc., and is delivered as a software-as-a-service (SaaS) solution.
True cloud solutions are built from the ground up to operate optimally in a multi-tenancy environment. Why does this matter? It ensures that all customers operate on the latest version without painful or costly upgrades, experience smoother integration with other applications, have the greatest agility and scalability, don’t have hardware to maintain or worry about and can access the solution anywhere at any time.
A cloud-hosted environment, on the other hand, was originally developed more like a traditional data center with some adaptations, like the software encased in an IP wrapper to enable cloud use. In other words, it is an application that is called a cloud solution simply because it is not hosted on a server at the user’s location. The “on-premise” software is hosted on dedicated servers and managed by the vendor on behalf of the customer. Even though a cloud-hosted solution may be accessed from home or other locations other than an office, there are serious limitations, especially when it comes to version consistency and scalability.
The true benefit of automating access controls lies in the ability to constantly monitor the risks in the ERP environment. Given the complexity of ERP systems, the automated solution needs to be able to deliver on the promise of the cloud: scalability to accommodate the ongoing changes in the SAP environment, ease of implementation to deliver immediate visibility into current risks and faster, seamless upgrades to maintain the system. Here is how cloud-based and cloud-hosted solutions for access control and risk management stack up in the above criteria:
Given that they do not require any additional hardware or software installations, the implementation times for cloud-based solutions can be significantly shorter, depending on the solution and complexity of integrations. With ERP Maestro’s cloud-based solution, for example, implementation can be done in minutes and visibility into access risks occur almost “instantaneously.”
Cloud-enabled applications aren’t developed with cloud principles of agility and elastic scalability in mind. Implementation times are longer due to server setup, software installation and customizations. Given the additional installation requirements (hardware and software) and the ongoing maintenance costs, cloud-enabled solutions are more expensive than cloud-native ones.
Companies using cloud-hosted solutions for regulatory compliance should also consider whether it is worth the additional cost to maintain expensive on-premise. According to the 2015 Gartner Report for SOD Controls Monitoring Tools, cloud-based SOD control solutions are, on average 51 percent less expensive than on-premises implementation over an initial period of three years. This number hasn’t changed much in the last several years.
With elastic scalability, a cloud-based solution can order more servers on-demand and then stop using them when they’re no longer needed. It matches the computer-processing capacity with the workload. Apart from drastically reducing IT costs, it allows organizations to be more agile.
Cloud-hosted solutions, on the other hand, have a fixed amount of computing power. Servers can be added to increase capacity, but this is resource and investment intensive. Once you have added your extra servers, you then keep the servers even when you are not using them.
Because SAP ERP systems are complex, and companies keep changing with mergers, acquisitions, adding locations and business units, etc., a cloud-based system can seamlessly accommodate the dynamic expansion of computing resources to scale with usage and users. Dynamic organizations require an access control solution that can facilitate these changes without disrupting the processes or taxing the database system. Because cloud-native solutions are built on the foundation of cloud principles, scalability is a natural feature in such applications. Whereas, cloud-hosted solutions require an increase in infrastructure, which results in increased costs and system downtime.
One of the main advantages of a cloud-native solution is the frequency of updates that can be provided with zero disruptions. In addition, multi-tenancy allows for all clients to be updated simultaneously. The updates have no additional costs and occur seamlessly without any disruptions to the system.
With cloud-hosted software, upgrades are a painful and expensive process. Updates often require multiple tests and versions and IT involvement. Individual upgrades are required per installation, with one installation per client.
Automating access control is all about having the ability to constantly monitor SOD and access control risks – efficiently, cost-effectively and without time-intensive and error-prone manual processes. Cloud-based is the most viable option for the greatest benefits.
Cloud-based Vs Cloud-enabled at-a-glance:
In conclusion, if you are a cloud-first company, cloud-based is definitely the solution that will help you embrace the digital renaissance while providing rapid time-to-value, faster installation and scalability. Not to forget the added advantage of the “run-anywhere” functionality makes the cloud-native solutions light-weight and ensures constant visibility of the access risks in your SAP system.
Learn more about the first cloud-based access control management solution.