A cybersecurity research and solution firm announced in August 2024 that they had uncovered a misconfiguration in NetSuite SuiteCommerce that had potentially exposed the data of thousands of ecommerce business users publicly on the Internet. According to AppOmni, the vendor that uncovered the error, this exposure could have potentially allowed unauthorized users to access a specific file type in Oracle NetSuite’s database via a web-facing API and the ERP effectively creating storefront websites by accident and without the customer’s knowledge.
The August 2024 NetSuite Misconfiguration
The misconfiguration in question arises from a filetype that allows NetSuite users to store customized reports and share it outside of the system. These Custom Record Types (CRTs) allow data to be exchanged externally when it needs to be, such as in this case with an ecommerce storefront or other portal. However, the problem arises when users do not change the access levels on a CRT that is connected to an Internet-facing database, which through the API connection can potentially allow a malicious actor to access those records and even possibly modify a CRT themselves.
NetSuite SuiteCommerce Publishing Default Websites
An important point uncovered in the investigation of the misconfiguration was how either SiteBuilder or SuiteCommerce in NetSuite had inadvertently published live websites even if the customers had not intended to. It was found that these modules could push the default stock website used for fast set up or testing to live production without users fully understanding what had occurred.
This exacerbated the potential vulnerability that could arise from mishandling CRT access permissions by creating an unmonitored endpoint that a bad actor could possibly exploit without the knowledge of system administrators. Even worse, much of the data found exposed by the researchers who uncovered the misconfiguration was Personally Identifiable Information (PII) of customers of those NetSuite users, which could have led to serious repercussions such as noncompliance fines in data privacy regulations were breached.
Oracle Response
AppOmni claims to have reached out to Oracle – the owner of NetSuite – about the access functionality behind the CRTs and SuiteCommerce on June 27, 2024. Though Oracle investigated promptly, they ostensibly found that SiteBuilder and SuiteCommerce were working as intended. AppOmni later published details of the misconfiguration online, after which Oracle decided to take steps to update NetSuite and mitigate exposure risks for their affected customers.
Cloud ERP Security Requirements
It is important to note that, as pointed out by AppOmni directly in their announcement, this issue between CRTs and NetSuite SuiteCommerce does not inherently constitute a system vulnerability by itself. Where the cybersecurity concerns arise of from both the possible exploitation of this misconfiguration and that it could go completely unnoticed on the NetSuite user side, where the onus of the physical and assumed responsibility for securing the SaaS (Software as a Service) environment typically falls. What this means is that in a cloud deployment such as with the ERP in question, customers are often fully expected to protect their own data locally and keep an eye on how their systems connect to the Internet to prevent accidental exposures such as this.
There is an inherent challenge in this approach that is illustrated by examples such as this, and misconfigurations are one of the most common origins for similar news stories. Full SaaS solutions must maintain a web connection to access their functions and data that is hosted on a remote server located in a data center somewhere else, and this bridge must be secured on both ends. Cloud ERP security has always required a paradigm shift in traditional IT thinking, one that is more proactive about mitigating the risks of human error.
An Interconnected Multi-Cloud World
The example with NetSuite SuiteCommerce and SiteBuilder, the CTRs, and the live default ecommerce systems illustrate another issue inherent – yet too often overlooked – in cybersecurity practices for cloud-based environments. Many clouds will inevitably “brush up” against each other via user interaction between connected endpoints, including unmonitored “shadow IT” ecosystems of personal user devices and apps signing into business networks. Even hybrid cloud deployments need to be mindful of the outdated protections featured in on-premise systems, including for reconfigured platforms migrated to a web-based environment from a legacy architecture.
The good news is that there are many ways to protect your data that exists in various clouds or that will be exposed to other cloud-connected networks. The somewhat bad news is that it requires a much more hands-on approach to application security when it comes to your ERP and other critical business management solutions, but there are ways to make your cyber defense scalable.
The Importance of ERP Training – Security and Compliance
The entire situation with the NetSuite misconfiguration exemplifies why many ERP implementations need an experienced software consultant to advise on these types of events. Oracle’s initial response also reflects what happens when there is no one to advocate for the end user, which is something that a trustworthy VAR (value-added reseller) cemented in the ecosystem will take up when issues like this fall through the cracks. In either case, having a partner with a closer view on the ground and with the knowledge needed to avoid these sort of pitfalls would help your business identify and prevent this sort of misconfiguration from seriously impacting your business, as well as uncover other obstacles to enforcing cybersecurity and data privacy compliance.
Other Cloud ERP Options
Although SWK Technologies is no longer a NetSuite consultant or reseller* we can recommend other options for businesses that wish remain with a cloud ERP but have concerns about their security or other critical needs:
Acumatica
Acumatica Cloud ERP is a state-of-the-art, flexible and highly scalable solution designed to be user-centric first and foremost, from the malleability of its interface to its unlimited seats pricing structure. For cybersecurity, Acumatica also features several built-in protocols as well as different hosting options beyond just SaaS as with NetSuite. Customers are able to deploy their solution in a private cloud hosted and maintained in-house or with a certified CSP (cloud services provider). It is also can be stored in an on-premise environment while still retaining its modern web-based architecture.
Sage Intacct
Sage Intacct is a market-leading accounting system and the only such software to be certified by the AICPA – the top association for registered accountants around the globe – for its functionality and security protocols. This means that the features in this solution has been audited and validated to comply with key information security regulations, including SOC 1, SOC 2, PCI, HIPAA, GDPR and more.
*SWK ended our relationship with NetSuite in 2018 and no longer provides support for NetSuite users; if you intend to remain on Oracle NetSuite, we recommend locating a certified NetSuite VAR if you have not done so already to help you with any security concerns. If you wish to consider other options, you can always reach out to us at info@swktech.com.
Contact SWK Technologies with Cloud Security Questions
Do not let overlooked cloud security gaps put your business and customer data at risk – SWK Technologies will help you make sure your valuable systems and information is protected against both human error and external threats. Reach out to our team of experts for a free consultation and ensure your ERP implementation is built on cybersecurity best practice.
Contact SWK here to learn more about cloud ERP security and how to guarantee your data remains safe, protected and compliant with privacy regulations.