erpcyber

Cloud Infrastructure Review

Your cloud vendor configured the infrastructure. Did they configure it securely?

Moving your ERP to the cloud doesn't mean your provider handles security. Under every shared responsibility model, the security configuration of what runs inside the cloud is your responsibility.

Get a scoping call →

The shared responsibility reality

What your cloud vendor secures — and what they don't

Every major cloud platform operates on a shared responsibility model. The vendor secures the physical infrastructure and managed platform services. Everything above that — your configuration, network settings, firewall rules, backup policies — is yours to secure.

In practice, this means WAF rules are available but not configured by default. Security groups exist but ship with permissive settings. Backup services are provisioned but immutability is opt-in.

We've seen this pattern across SAP RISE, Oracle Cloud, and AWS-hosted ERP environments. The infrastructure is there. The security configuration is not.

Seven domains

What we review

01

Web Application Firewall (WAF)

Is your WAF active and properly rule-configured? Many cloud ERP deployments have WAF provisioned but rules not enabled — leaving ERP web interfaces exposed to injection attacks, bot traffic, and application-layer DDoS.

02

Security Groups & Network ACLs

Default security group configurations are typically permissive. We review every inbound and outbound rule against the principle of least privilege — identifying open ports, overly broad CIDR ranges, and unnecessary service exposures.

03

Firewall & FWaaS Configuration

We assess firewall rules, zone segmentation, and Firewall-as-a-Service configuration. We check whether east-west traffic between ERP components is appropriately restricted.

04

Proxy & Web Dispatcher Security

SAP Web Dispatcher, Squid proxy, and reverse proxy configurations are frequently misconfigured or left at defaults. We review proxy settings, access controls, and SSL termination configuration.

05

Backup Immutability & Recovery

Are your backups protected from ransomware? Immutable backup configuration is one of the highest-impact controls and one of the most commonly missed. We verify immutability settings, RPO/RTO, and restoration testing evidence.

06

Logging, Monitoring & SIEM

Is your ERP infrastructure generating audit logs? Are they forwarded to a SIEM? Are retention periods adequate for your regulatory requirements? We assess logging completeness and monitoring coverage.

07

Encryption & Certificate Management

We verify encryption in transit (TLS version, cipher suites) and at rest (key management, rotation policy) across your ERP infrastructure stack.

Platforms

Cloud platforms we review

SAP RISE (ECS)AWSMicrosoft AzureGoogle Cloud PlatformOracle Cloud Infrastructure

SAP RISE customers: For RISE-specific ECS service request guidance and shared responsibility assessment, visit sapcyberx.com ↗

Deliverables

  • Infrastructure security baseline report
  • Risk-rated findings with vendor remediation guidance
  • Configuration hardening checklist
  • For RISE customers: ECS Service Request scope and prioritisation

Engagement: 1–3 weeks | Fixed price after scoping call

Book a scoping call →