Procure-to-Pay (P2P) automation solutions can provide a cost-effective approach for improving your financial supply chain, reducing paper documents, streamlining P2P processes, and deploying supplier portals to eliminate payment- and invoice-related phone calls from suppliers. There are a variety of approaches to implementing such solutions, but certain options pose higher security risk than others. To a large extent, the security issues you’ll need to manage depend on which of the three options below you choose to implement your P2P deployment.
Option 1: In-house Deployment
An in-house deployment? Are you sure you want those responsibilities and headaches? There are three different implementation approaches, each with their own benefits and pitfalls. It’s not always an easy decision because you need to consider your resources, your security risks, and how to best mitigate those risks. These risks certainly aren’t trivial. Remember when Target was hacked? Thieves stole payment data for 100 million customers. Even financial organizations like JP Morgan Chase aren’t immune. A cyber-attack at that bank compromised personal information for almost half a million clients. You can see that security breaches can easily cripple any company. An in-house deployment requires you and your IT team to either design and build your own applications and supplier portals, or purchase vendor applications and adapt them to your needs.
More resources. A shrinking ROI.
Just a few years ago, an in-house deployment was pretty much a standard choice because outsourcing options were limited. On the other hand, security risks were far more manageable then compared to today’s more constant and unrelenting attacks. IT has also grown more complex. Remember, a P2P application isn’t the only application your IT team must manage, and resources may be spread thin. If you have to add staff to manage your P2P application, the savings can easily evaporate – taking a big bite out of your ROI.
Who can get behind your firewall?
With an in-house deployment, your IT team will have to cope with multiple vectors for intrusion and be ready to immediately apply security patches. You’ll also have to account for strict access control. Using this approach IT personnel (and possibly others) can log in behind your firewall to access to your main ERP application, such as SAP. So security isn’t just a matter of technology. It’s also a matter of who you hire. For these reasons, you don’t see as many in-house deployments these days because they’re often not worth the internal effort, headaches, and hassles to maintain an acceptable security stance.
Option 2: Running in the Cloud
IT teams need to be nimble and may not have enough resources to manage, update – and most importantly – secure P2P and other applications against intrusions. The stakes can be high, especially when sensitive financial data is at risk. When an application is deployed on the cloud, that’s one less application your IT team must manage. But there are some pitfalls to watch out for. With a cloud-based deployment, you no longer manage applications in your data center, but rely on a cloud provider instead. The provider essentially delivers you an “instance” of a virtual machine that runs in their data center, and gives you network connectivity to that instance.
Lack of control over hardware and networking
When applications run on the cloud, you do maintain control and can configure the operating system and all of your software as you wish, but there are vulnerabilities. First, while you control your applications, another company owns and operates all the hardware and networking hosting those applications. If a vulnerable port is left open or the system is poorly configured, you may not be aware of these issues until it’s too late. While in-house deployments can be complex, at least you control how issues are resolved. Cloud providers may not be as responsive as you’d like. If the company does not respond to your questions and concerns quickly enough, resolving problems can be frustrating – and in some cases risky if security is involved.
Other applications can make you a target
When you deploy an application on the cloud, the same physical hardware running your application may serve other companies that adopt different security stances. Some applications shared on your server may be extremely alluring targets for hackers, such as sites that trade Bitcoins, sell online pharmaceuticals, or perhaps worse.
In addition, your IT team still must remain current on new and emerging threats and vulnerabilities to assure appropriate patches are quickly deployed via your cloud provider. If you do decide to consider a cloud-based solution, be sure to select a provider known for quick response and rigid controls.
Option 3: Private SaaS Hosting
Private Saas (software as a service) hosting calls for running your application on a privately hosted SaaS platform. This gives you full control over who can access your data, but relieves your IT team of the burden of installing, managing, hosting, and securing your application and supplier portals. Using a SaaS-based approach, an application provider takes on all these responsibilities and deliver your P2P applications as a service.
Layered, more refined security
Any reliable SaaS provider will approach data and access security based on a “layered” framework. This protects the infrastructure and your data against security threats, with application provider responsible for monitoring the security environment for new threats and vulnerabilities on a daily basis, then rapidly patching applications to protect against these threats. With a privately-hosted SaaS solution, your application provider can completely control access to the firewall and the operating system, as well as isolate your data infrastructure. You also eliminate the risk of sharing servers with other unknown applications, which a major issue of cloud-based deployments
You keep the keys, maintain full viability
A privately-hosted SaaS-based solution gives you the advantage of a flexible architecture and design, plus knowing exactly where and how data is stored. You also have one point of contact to address security and issues as needed. You’ll also rest easy knowing that no unknown entities have the “keys” to access your data, or be able to log in “behind the firewall” where sensitive data is stored. When an application provider manages both the application and the platform, you can enjoy added reassurance that extends beyond the in-house or cloud-based approaches.
Direct Commerce offers a secure, web-based suite of products that are architected, installed and managed by an agile, experienced team of professionals acting as a dedicated extension of your internal team. Contact us for a demonstration of our platform.