Infor: Pressure points for secure code structures

We need to build secure systems. Because enterprise organizations naturally want to be able to run their operational workflows on a fabric of scalably robust services now augmented with increasing levels of intelligent automation, we need to ensure that those systems are constructed upon a foundation of secure code.

But with so many risks, vulnerabilities and loopholes to consider, how should firms operating their ERP estates find the pressure points within their IT stack to ensure they run on secure code structures? ERP Today sat down with Mike Kalinowski, Infor’s senior director of product management in the company’s Platform Technology team to get some much-needed insight on this topic.

Kalinowski explains why the mission-critical role that ERP and enterprise products play in driving the world’s manufacturing, distribution and healthcare sectors (and taking into account the customer demand that exists in these spaces) is driving vendors to provide (and ERP customers to use) more elastic, scalable, services while capitalizing on emerging technologies sourced directly from the B2C space – to create faster ROI and competitive advantages in B2B markets.

“This rate of technology acceleration, coupled with IT and leadership expectations to translate hype into tangible outcomes, motivates vendors to reconsider how they go to market – starting with their infrastructure, hyperscaler partnerships and architecture designs,” said Kalinowski.

Adopt microservices, big style 

Looking at next steps here, Kalinowski sees technology vendors moving to a microservices strategy to maintain rates of innovation and to be able to pivot capabilities to deliver value in newly identified technology segments. It’s a strategy that customers themselves should clearly look to follow. But, he says, while the risk/reward ratio for SaaS players is clear, vendors such as Infor are thinking about how to drive security from the ground up. We know that 24/7 businesses are interested in investing in the outcomes of a future driven by AI/ML, Large Language Models and graph technologies, but not at the risk of disrupting operational aspects of their core businesses.

“This translates into vendors…building a future class of enterprise innovation platform technologies as well as ERP products that are fully elastic while minimizing security risks – whether those be malicious actors delivering drive-by attempts to gain information around vulnerable technologies and product designs or simply the consequences of a well-intentioned enterprise developer/user accidentally deploying a solution featuring infinite loops. SaaS providers need to balance the needs of many while protecting business continuity for all,” clarified Kalinowski.

Security hygiene: now wash your hands

He advises firms working in this space to think about their security posture and what we are now able to call ‘security hygiene’, which starts at product architecture inception. By partnering with hyperscalers such as AWS, Infor delivers leveraged access to leading managed service teams that must account for both scale and security, which few other IaaS providers can touch.

“Risk management and mitigation means evolving the role of CloudOps into process stewards rather than personal automatons delivering R&D outputs on a continuous basis,” said Kalinowski. “R&D needs to invest in DevOps to lean into delivery models that focus on infrastructure as code to mitigate the fallibility of even the most talented operations and engineering personnel.” 

In search of a cheese-based analogy here, the Infor VP product management leader highlights the Emmenthal security model – also known as Swiss cheese model for security. By embedding security practices starting at the infrastructure level, additional layers of security need to be prioritized and productized at the services and product interaction layer to ensure multiple lines of defense and mitigate the chances of the holes between Swiss cheese slices lining up, resulting in compromise.

Spaghetti architectures 

“REST, GraphQL and other APIs can be inconveniently convenient. The flexibility and novelty of delivering self-service outcomes through low-code & no-code product experiences often allow for a lapse in risk appraisal and who has access to sensitive, privileged, or lucrative data. API gateways are instrumental not only in simplifying increasingly fraught and fragile ‘spaghetti’ architectures but also enforcing front-line defenses to permit only authorized consumers while providing observability,” said Kalinowski.

We also need to remember that product experiences themselves need to evangelize ‘principle of least privilege’ models (the notion that at any user, program, or process should have only the base lowest level access to privileges needed in order to perform its function or role) and drive a configuration engagement model that puts customers in charge of entitlements and limiting surface areas of opportunistic access violations.

Overall then, Kalinowski surmises that B2B SaaS vendors need to evolve into service utilization economies where value is recognized in utilization, time saved and FTEs repurposed from previous, unautomated labor. 

Scaling for burst-y events. 

“This introduces competitive advantages to enterprise customers, served by vendors such as Infor – where the built-in elasticity model underpinning software enables companies to scale for burst-y events. As a byproduct, these SaaS vendors have a need to invest in observability and real-time alerting not only to address real-life scaling factors of a business but also to distinguish and identify anomalous events and prevent Black Hat activities,” concluded Kalinowski.

There is much to consider here and Infor (arguably) has enough scope to consider the smörgåsbord of pressure points, software application tools and platform-level paradigms all working in unison to create the complexity that clearly exists in many modern cloud-centric deployments. The pressure points exist, but there are remedies and cures available – take two.