How safe is Odoo?

How safe is Odoo? It's a question we get asked more and more. Not surprising when you read all the news reports about hacked companies, such as recently in the Netherlands with the VDL group. VDL Groep still suffers from cyber attack, headlines the Dutch newspaper NRC. These messages put everyone on edge and perhaps also frighten. How do we protect ourselves against these hackers? Can this happen to me too? These are important questions that many entrepreneurs face. Today, every company is largely dependent on business software and a cyber attack or hack can have major consequences for the continuity of the company.

Odoo Experts customers use the ERP-System Odoo. Odoo Experts' customers (almost) all use the Odoo.sh hosting platform. Although you can also run Odoo locally (on premise), this blog assumes an Odoo.sh environment. Odoo, Odoo.sh… yeah, yeah, but, how safe is that really?

When we talk about security, we can distinguish security between two types of security problems. These are data loss (due to theft) and not being able to access your data. Let's take a closer look at these two security issues.

Data loss (due to theft)

The biggest security risk for data loss is the employees who have access to the Odoo software and/or database. Employees need access to, for example, customer and product data for their daily work. Because they can consult this data, they can also steal this data. This can be done by making an export, screen dumps or even taking photos. Unfortunately there is very little that can be done about this. All you can do is restrict access (rights) to the most sensitive information.

You can make access to Odoo itself as safe as possible. Odoo offers the following options for this:

  • A password policy (minimum length) and password strength check

  • Time-based two-step verification (2FA TOTP)

  • LDAP Connection and login

  • Oauth provider login (Google, Microsoft *, Facebook) *Microsoft Azure AD wordt nog niet ondersteund

Passwords are protected with the industry standard PBKDF2+SHA512 encryption. Credentials are always sent securely over HTTPS. It is also possible to set a speed limit and cool down time for repeated login attempts. Other password policies, such as required characters, are not supported by default as they have proven to be counterproductive (see e.g. Shay end others. 2016).

The problem with all security options is that nothing is 100% secure. With each method you can discuss the advantages (convenience) and disadvantages (safety). For many companies, a combination of options one and two will suffice. Have a good password policy and then two-step verification via SMS or via an authenticator.

In addition to the risk of data loss due to (unwanted) access to Odoo, there is also the risk of database access and access to Odoo's physical servers. This risk is many times smaller than access to Odoo itself. Direct access to the Odoo database is not possible on Odoo.sh.

Various measures have been taken to ensure the security of the data, for example through physical access or by employees. You can read this on the security page of Odoo.

Not being able to access your data

Not having access to your data can have many causes, such as a bug in the software, hardware failure, but also larger causes such as disasters, viruses, cyberattacks, ransomware or other hacks. Here we can again make a dichotomy. These are: the security measures to prevent this and: the possibilities to recover it, after it has happened.

Security measures Odoo

To limit the risk, Odoo has built in safeguards on several fronts. When developing the software, safety is paramount (Odoo Secure by design). Odoo participates in the CSA Security Trust Assurance and Risk (STAR)-programma. Odoo Cloud servers are hosted in trusted data centers in different regions of the world (e.g. OVH, Google Cloud), and all of them must exceed Odoo's physical security criteria, such as:

  • Restricted access, only physically accessible to authorized data center employees

  • Physical access control with security badges or biometric security

  • Security cameras monitor the data center locations 24/7

  • Security personnel on site 24/7

Odoo Backup recovery

But should things go wrong, Odoo can fall back on backups. 

  • Odoo keeps 14 full backups of each Odoo database for up to three months: one/day for seven days, one/week for four weeks, one/month for three months.

  • Backups are copied in at least three different data centers, on at least two different continents.

  • You can also download manual backups of your live data at any time via the Odoo.sh backend. Because downloading a backup is a security risk (loss, theft) this is not recommended.

  • Hardware failover: For services hosted on bare metal, where hardware failures are possible, Odoo has implemented local hot standby replication, with monitoring and a manual failover that takes less than five minutes.

  • Disaster recovery: In the event of a complete outage, with a data center completely down for an extended period of time, preventing failover to a local hot standby (according to Odoo, never happened so far, this is the worst case scenario), Odoo has the following objectives:

    • RPO (Recovery Point Objective) = 24 hours. This means you can lose up to 24 hours of work if the data cannot be recovered and we need to restore your last daily backup.

    • RTO (Recovery Time Objective) = 24 hours. Now is the time to restore service in another data center if disaster strikes and a data center goes down completely.

    • How this is achieved: Odoo actively monitors the daily backups and replicates them in multiple locations on different continents. Odoo has automated provisioning to deploy the services on a new hosting location. Restoring the data based on the backups of the previous day can then be done in a few hours (for the largest clusters).

    • Odoo routinely uses both the daily backups and the provisioning scripts for daily operations, so both parts of the disaster recovery process are constantly tested.

Conclusion

How safe is Odoo? I think we can conclude that the company Odoo is doing everything it can to make the software as safe as possible. It has also taken good security measures to keep the Odoo systems as safe as possible. It is now up to you to use Odoo as safely as possible as well. That starts with a good security policy and making the right settings in Odoo to make access as secure as possible. You read 'as safe as possible' a number of times. Be aware that 100% security does not exist. There are always risks. You can limit these risks and make sure you know what to do in case something goes wrong.

Do you want more information about Odoo's security features, or do you want help setting them up? Contact us.

Disclaimer

This blog was written in October 2021. It is based on information then available from Odoo (Source: https://www.odoo.com/nl_NL/security). The information has been supplemented and adapted based on the experiences of Odoo Experts and may not be applicable to your situation. At the time of reading, this information may be out of date. Always consult the latest information from Odoo S.A.


in Blog
# Odoo
How safe is Odoo?
Erwin van der Ploeg 25 October, 2021
Share this post
Sign in to leave a comment