How secure is Odoo?

In today’s digital landscape, the security of business software is a crucial concern for organizations of every size. Odoo, a leading open-source ERP system, is no exception to this rule. Used by a wide range of companies worldwide, the platform inevitably raises questions about the robustness of its security measures. How safe is your data in Odoo? What protocols have been implemented to prevent unauthorized access? And how does the system respond to potential cyber threats? These questions are not only legitimate, but also highly relevant in an era in which cyberattacks and data breaches are becoming increasingly common. In this blog, we will conduct a thorough analysis of Odoo’s security aspects, to give you a clear picture of how the platform protects your business information.

When we talk about security, we can distinguish between two types of security issues. These are data loss (through theft) and being unable to access your data. Let’s take a closer look at these two security issues.

Data loss (through theft)

The biggest security risk for data loss is the employees who have access to the Odoo software and/or database. Employees need access to, for example, customer and product data for their daily work. Because they can view this data, they can also steal it. This can be done by making an export, taking screenshots, or taking photos. Unfortunately, there is very little that can be done about this. The only thing you can do is limit access (permissions) to the most sensitive information.

You can, however, make access to Odoo itself as secure as possible. Odoo offers the following options for this:

A password policy (minimum length) and password strength checking
Time-based two-factor authentication (2FA TOTP)
LDAP connection and login
OAuth provider login (Google, Microsoft *, Facebook) *Microsoft Azure AD is not yet supported

Passwords are protected with industry-standard PBKDF2+SHA512 encryption. Login credentials are always transmitted securely via HTTPS. It is also possible to set a rate limit and cooldown period for repeated login attempts. Other password policies, such as required characters, are not supported by default because they have proven to be counterproductive (see e.g. Shay et al. 2016).

The problem with all security options is that nothing is 100% secure. With every method, you can discuss the advantages (convenience) and disadvantages (security). For many companies, a combination of options one and two will be sufficient. Ensure a good password policy and then use two-factor authentication via SMS or an authenticator.

In addition to the risk of data loss through (unwanted) access to Odoo, there is also the risk of database access and access to Odoo’s physical servers. This risk is many times smaller than access to Odoo itself. Direct access to the Odoo database is not possible on Odoo.sh.

Various measures have been taken to protect data against, for example, physical access or access by employees. You can read about these on the Odoo security information page.

Being unable to access your data

Being unable to access your data can have many different causes, such as a bug in the software, hardware failure, but also larger causes such as disasters, viruses, cyberattacks, ransomware, or other hacks. Here too, we can make a distinction between two categories. These are: the security measures to prevent this, and the options to recover from it after it has happened.

Odoo security measures

To reduce the risk, Odoo has built in security on various fronts. When developing the software, security comes first (Odoo Secure by design). Odoo participates in the CSA Security Trust Assurance and Risk (STAR) program. Odoo Cloud servers are hosted in trusted data centers in different regions of the world (e.g. OVH, Google Cloud), and they must all exceed Odoo’s physical security criteria, such as:

Restricted access, physically accessible only to authorized data center employees
Physical access control with security badges or biometric security
Security cameras monitor the data center locations 24/7
Security personnel on site 24/7

Odoo Backup recovery

But if something does go wrong, Odoo can fall back on backups.

Odoo keeps 14 full backups of each Odoo database for up to three months: one/day for seven days, one/week for four weeks, one/month for three months.
Backups are copied to at least three different data centers, on at least two different continents.
You can also download manual backups of your live data at any time via the Odoo.sh backend. Because downloading a backup is a security risk (loss, theft), this is not recommended.
Hardware failover: for services hosted on bare metal, where hardware failures are possible, Odoo has implemented local hot-standby replication, with monitoring and a manual failover procedure that takes less than five minutes.
Disaster recovery: in the event of a complete outage, with a data center being fully offline for an extended period, making failover to a local hot standby impossible (according to Odoo, this has never happened so far; this is the worst-case scenario), Odoo has the following objectives:
- RPO (Recovery Point Objective) = 24 hours. This means that you can lose a maximum of 24 hours of work if the data cannot be recovered and we have to restore your latest daily backup.
- RTO (Recovery Time Objective) = 24 hours. This is the time to restore the service in another data center if a disaster occurs and a data center completely fails.
- How this is achieved: Odoo actively monitors the daily backups, and they are replicated across multiple locations on different continents. Odoo has automated provisioning to deploy the services to a new hosting location. Restoring the data based on the previous day’s backups can then be done within a few hours (for the largest clusters).
- Odoo routinely uses both the daily backups and the provisioning scripts for daily operations, so both parts of the disaster recovery procedure are continuously tested.

Conclusion

How secure is Odoo? I think we can conclude that Odoo as a company does everything it can to make the software as secure as possible. It has also put in place strong security measures to keep the Odoo systems as secure as possible. It is now up to you to use Odoo as securely as possible as well. That starts with a good security policy and making the right settings in Odoo to make access as secure as possible. You read the phrase ‘as secure as possible’ a number of times. Be aware that 100% security does not exist. There are always risks. You can reduce these risks and make sure that you know what to do if things unexpectedly go wrong.

Would you like more information about Odoo's security options or would you like help configuring them? Feel free to contact us.

Disclaimer

This blog was written in October 2021. It is based on the information available from Odoo at that time (Source: https://www.odoo.com/security). The information has been supplemented and adjusted based on the experiences of Odoo Experts and may not be applicable to your situation. At the time of reading, this information may be outdated. Always consult the latest information from Odoo S.A.

Read also Top 5 signs your business needs an ERP system Read also How do ERP Systems differ?

# Odoo

Erwin van der Ploeg October 24, 2021

Share this post

Get inspiration for your business
See how Odoo can make your processes smarter. From sales to inventory management to accounting.

No strings attached, absolutely free
You're not tied to anything. Try, click and discover.

Prefer personal advice?
Check it in the form and one of our Odoo experts will show you live.

Name *

Email address *

Phone number *

Company name *

Company size *

How many people work at your company approximately?

Language

Personal demo

Check this box if you prefer a personal demo. We will then contact you a.s.a.p. and schedule a demo.

Subject *

Labels

Odoo Demo

Start Your Odoo Adventure