In times when reports of cyber attacks or data breaches are becoming more frequent, the security of your digital business environment is a valid concern. Companies are increasingly managing processes entirely digitally, but just as physical information can be protected by locking a door, precautions must also be taken for a digital business environment.
Fortunately, with an Odoo cloud solution, you can sleep soundly. Odoo takes various measures, both regarding the cloud platform and the software itself.
The Odoo cloud platform
Firstly, each Odoo environment is separate from the others. No data is exchanged between different customers, even if their databases were to run on the same cluster.
Each database is only accessible with the login and password of its specific users. These passwords are encrypted according to various industry standards. Login credentials are always sent encrypted via HTTPS (in layman's terms: unreadable if intercepted, unlike with HTTP). The staff of Odoo or your Odoo partner cannot access your password in any way. Finally, you can also set in your Odoo database that passwords must have a certain minimum length, that there is a cool down period is after a certain number of login attempts, or that users must log in using two-factor authentication.
In addition to the databases, there are the data centres where the Odoo Cloud servers are hosted. These are physically protected on one hand, thanks to access control and 24/7 security via cameras and on-site security personnel, and on the other hand, the Odoo cloud servers run on hardened* Linux distributions with up-to-date security patches.
*Hardened in this context means that the operating system is optimised to avoid unnecessary updates or changes in configuration, and additional security measures have been taken to ensure the robustness of the operating system.
The Odoo software
Given that many companies use a variety of different tools to manage various business processes digitally, it is precisely the transfer of data where problems often occur.
Integrations need to be set up to allow these tools to communicate with each other, or in some outdated cases, data is even manually transferred from one system to another. It is often these transfers that are vulnerable to data leaks. Let this already be a first concern that is alleviated by using Odoo as business software. Since many more business processes take place in the same tool, no or limited connections need to be established. The risk of (manually) passing information from the sales department to the production floor is largely mitigated in this way.
According to the Open Web Application Security Project (OWASP) are the most common vulnerabilities in web applications: injection vulnerabilities, cross-site scripting (XSS), and flawed or non-terminating access control.
Odoo ORM
The Odoo object relational mapping (ORM) framework prevents the first vulnerability because it builds queries (let's say: requests to the database) through the ORM framework, rather than directly through the developers' code. SQL injections are thus prevented. In other words: since the Odoo framework generates these queries itself, a potential attacker cannot simply intrude here or do as they please.
XSS hacks
XSS hacks (where a malicious script takes over an existing, well-functioning script) are also prevented as the Odoo framework by default circumvents all expressions displayed in views and pages. An XSS error can occur when an application sends information from a user to the web browser without first validating or encrypting it. This could allow scripts to be executed that take over your Odoo session or crash your database. However, since as a developer you must explicitly mark your used expressions as “safe,” this cannot happen in an Odoo environment.
Access control
Flawed access control, such as an attacker changing the URL of a record to open other records, is impossible in Odoo because each request must undergo access control again. URLs sent out by Odoo (such as the link customers receive to confirm a sales order) are digitally signed with unique tokens and only sent via email to the intended recipient.
Community and shared responsibility
Finally, the Odoo community also lends a hand. The open source codebase is continuously scrutinised by Odoo users, employees, partners, and developers. The feedback and bug reports from the community are an important source for Odoo, and they encourage everyone to report security issues. You can find more information about that here .
It remains important to remember that cybersecurity is the responsibility of everyone in an organisation. Following basic best practices (such as not sharing passwords or locking your computer when it is left unattended in a room) remains essential.
Conclusion
With an Odoo environment, you can be at ease. In addition to the basic precautions you can set up yourself, such as two-factor authentication, and the inherent security of having one programme that requires fewer or no integrations with other programmes, security measures are embedded throughout the entire Odoo framework. Your valuable data is therefore safely locked away.