Wednesday, July 29, 2009

Why go ERP ? A Baker’s dozen questions to ask before you buy an ERP solution

Leslie Satenstein / July, 2009

Your business volume has grown, and your customers complain that there are too many errors in shipping quantities or wrong products, many errors in your sales invoices. Your accounting staff is complaining, the aged analysis report is showing too many overdue accounts, or accounts over the credit limits. Inventory Management seems to have misplaced goods and payables don’t seem to correspond to receipts or bin cycle counts. The supporting paperwork for must adhered to industry regulations can’t easily be matched to inventory or shipments.

The current year end financial statement makes you nervous, as numbers from your different application systems do not match. A yearly full company audit is costly because you have different systems for sales, purchasing, inventory management, and finance. You also want to do some e-commerce and are concerned about how it can be handled with your current organization. You may want to analyze sales by geographic region, by market and to generally slice and dice your analysis according to your requirements.

ERP to “The rescue”

Your business advisor recommends that you need to implement an Enterprise Resource Planning (ERP) system. You are told that the ERP system will integrate sales, purchasing, distribution, warehousing, manufacturing, ecommerce and Finance, and it will help to reduce overdue accounts, prevent overstock and dead inventory, help with finance and most of all, provide consistent financial figures for the government and auditors.

Moreover, your potential ERP system will provide business intelligence (BI) statistics about customers, product sales, and more. It can generate enough reports and information to overwhelm each manager.

You are convinced you need an ERP system but buying one, you have a few concerns about the best one, and also if your staff are going to be supportive.

Here are a Baker’s dozen questions to ask before embarking on an ERP solution!

MOST IMPORTANTLY, the following points are ones to have answers to before you make that commitment.

1.- Do you do an in-house install of the ERP system, with the necessary hardware additions and wiring?

2.- Do you choose the ERP system and outsource the hardware operation of the ERP system? (This mode allows for on-call support of the hardware, software and remote troubleshooting.)

3.- Do you search for a Software as a Service (SaaS) product and license its use? Everything is now in the hands of a provider whose system is somewhere in the world and your business is hosted therein?

4.- Have you looked at Open Source ERP software as a possibility, as well as closed source Software Vendors? There are cost advantages to the former and often, functional advantages too.

5.- Have you created a detailed Request for Quotation (RFQ) to submit to Vendors? This RFQ would be emailed to the vendors that could provide the needed solution. The RFQ would contain a list of specific business problems you need to solve, will include new features to allow for continued growth (for example, e-commerce, multi-currency, multi-warehouse, multi-company, and even new government requirements, business intelligence, statistical reporting for product trends, etc.) As an aside, in a medium sized organization, a good ERP system allows for a significant reduction in overstocked inventory, reduced stock-outs, and lower warehousing carrying costs for insurance, heating, rental, etc. After the replies, are you going to ask for a demonstration to verify the vendor claims?

6.- Are your managers volunteering to create the Key Performance Indicators (KPI)? These include managers and their staff, who need to own the new system and the accounting firm who needs to know how to use the system to conduct an audit. Are they aware that in owning the new system, the will decide which business processes are included in the ERP package, they will understand how to phase in the rollout and how to measure success with the implementation?

7.- Does your new system require application customizations, because your product is different from the norm?

8.- Are you aware of the conversion effort and costs, which include training, running the new system in test mode for a few days, and the go-live experience.

9.- If you decide to not implement the new system, you need not read further.

Completing the baker’s dozen concerns to consider before you select the vendor

10.- Can the implementation be performed in stages, as a phased approach? If the target system has modules that are nice to have, instead of essential, can you purchase the system without them and then add modules later, without undo penalties.

11.- Which managers should be involved in each implementation phase ?

12.- Do you have a good project manager, or is the vendor providing one? Oftentimes the vendor’s in-house project manager has the in-depth knowledge of the product and previous experience in its implementation. He will work with your staff to implement the system as smoothly and as cost effectively as possible. (For a single site ERP using no foreign currencies, for the implementation estimate the larger of 500 hours or the vendor’s time estimate). Review the project plan to see if it includes training, holidays, and sufficient milestones to allow biweekly tracking at first and weekly tracking as go live approaches.

Some technical considerations

13.- We hear of Service Oriented Architecture (SoA). What does this mean to you? SoA is a software system design where each module in the application is a component. There is a sales module, a finance module, etc. SoA presents the idea that we treat each module as a black box, as we would a microwave oven or a car. We don’t want to know the inner workings, but we want to use the defined interfaces (on-off and other buttons). SoA is a great concept, but thus far, it only works best or at all when all the products are supplied by a single vendor. That is, you cannot easily integrate vendor abc’s sales package with vendor def’s finance package.

Copyright 2009 itBMS - Business and Marketing Solutions Inc.

Monday, July 13, 2009

eCLIPse – Enterprise Clip Security

eCLIPse – Enterprise CLIP Security is a software security solution for any business that requires frequent exchange of secure encrypted data. eCLIPse, simple to integrate and apply, provides safe transfer of confidential data to and from authorized external resources all the while preventing unauthorized viewing. Security is managed by smart-card technology (smart-card chip fitted into a USB token). Using simple, effective and affordable physically secure USB tokens, eCLIPse functions at the National Institute of Standards ( USA’s NIST) “FIPS 140-1 level 3”)

Initialization - Setting up the keys
A standard practice is to have groups of two users from two business areas with each user only providing one half of an encryption key. The company is protected, since this practice ensures that one user does not know the other’s key choice. Putting the two halves together by random selection means that each user does not know a final key value. eCLIPse supports multiple encryption tables with randomly assigned keys. Head office security administration sets up the USB token contents to match. There are two levels of head office control. One is constructing one more tables by choosing ten keys to insert into a table, and the other is choosing which of the keys from within an assigned table will be further assigned to an individual or group. Essentially, each business area may set up its own table and assign users to specific keys.

Comparison with Hard drive Encryption
eCLIPse encryption management is the best solution. Here is why. The argument that one will provide is, why not use a hard drive that is fully encrypted, who needs eCLIPse ?

When the hard drive is encrypted, a problem may arise if a file has to be copied or if maintenance has to be performed. An encrypted copy from that hard drive may not decrypt correctly on the target device. This is usually due to hardware differences between disk drives from the same manufacturer and especially if the target drive has no encryption. If a technician has to repair the contents of the system with the encrypted hard drive, he needs the encryption / decryption keys (provided at logon). If he can log onto the system, he has access to the data, and likewise, so can a hacker. Other concerns include alpha-numeric sorting of encrypted data. There is no guarantee that in using an encrypted drive, data can be sorted in lexicographical order.

Your company’s “Information” is more valuable than the computer it is on. If your laptop computer is lost or stolen, your confidential information cannot be decrypted without your authorized USB token.

Other Uses for eCLIPse
Do you have trouble remembering all your passwords and other personal information? With eCLIPse, you can safely store them in an encrypted file protected by the USB token.

How Eclipse works
Easy, first you will receive the pre-encrypted file (s) from Head Office. The encrypted file was created choosing two of the 10 keys. Instead of transmitting the keys, the index entries of these two keys prefix the data along with other meta data, such as the encryption algorithm used. The file is sent to the user(s) using a safe file transfer method (Secure FTP in an SSH environment). Note that the 10 keys stored in the USB token are identically stored in the head office image of the token’s table.

To view the file, start eCLIPse and plug in and log-into USB token. The two key indexes and the encryption method is read from the file. The two index values are used to retrieve the decryption keys from the USB token. Along with the algorithm ID, decryption takes place. Encryption publication methods supported are “DES Data chaining” and Triple DES.

For uploading to the server, start eCLIPse and logon to the USB token. Two of the encryption keys stored in the USB token are used to encrypt the data prior to uploading. The encryption keys, selected by head-office administration, are different from the server to laptop decryption keys. The file is encrypted and pre-pended with the indexes of the encryption keys placed in the file header. After reception by the head office, the data is decrypted in decrypted in the same way as files sent to the laptop.

All encryption keys and key locations in the table are managed with the eCLIPse administration facility. The administration facility is a head-office tool, and it is the only place where one can initiate an update to the USB token. All information on the USB token is hardware protected and encrypted. Common practice is to update all the USB tokens and decryption keys every other year.

Two different recipients with copies of the same data, after encryption, may receive differently encrypted downloads as the “table with keys” and the ordered list of encryption/decryption keys may differ from USB token to the next. This means that if one individual loses his USB token, the one he borrows from his peer may not decrypt his own data.

Three Strikes and Your Out
The hardware of the USB token is designed to support an absolute maximum of ten successive failed logon attempts after which the USB token must be returned for hardware re-initialisation. Within eCLIPse we have set the application logon threshold to three. In the event of USB token logon failure, eCLIPse provides for overrides via voice contact to head office. Standard questions from head-office are used to validate the user. Following user validation the user has twenty minutes to use a password given verbally or by email. He uses it to login to the USB token and is forced to immediately enter a new user password.

Session timeout
If the user leaves the laptop inactive for predefined time, eCLIPse can be set to block and requires a new logon. There is a keyboard lock option to handle coffee breaks.

The USB token remains on the owner’s keychain, is not stored with the laptop and is not normally interchangeable with another users USB token. Each USB token also has a logon access mechanism, with options to control number of logon attempts before lockout, number of allows executions, timeout mechanisms and many other selectable security functions.

eCLIPse provides up-to-date safe transfer of confidential data to and from managers and auditors, all the while preventing unauthorized viewing. Encryption security is managed by eCLIPse's head-office administration system, tailoring full transfer management of encrypted data between the individuals laptop and head office.

eCLIPse Modes of Operation
eCLIPse may be setup for batch download.. eCLIPse itself does not do the file transfer. Encrypted files are stored on the laptop or on a flash drive. No unencrypted data will be present on either. eCLIPse may also be used for real-time live access. Application Programming Interfaces (APIs) are provided.

Some additional system management information
USB token management. When the head office client receives his order of serial numbered USB tokens, he registers the serial numbers in a database and listed as unassigned. The database design can hold information for 10,000 USB tokens. A USB token can be used with one or more applications but to only one specific user. If need be, a user may have more then one smart-card USB token, to answer his particular needs.

Usage Examples
A large Canadian Banking-Financial Institution has regional data centers in different localities. After the head-office data processing of sensitive business data is completed, the files are encrypted and sent to their regional centers. The regional centers decrypt the received file and immediately re-encrypt it for the authorized user of the USB token. This action prevents a head-office person from knowing decryption information for the files destined to the end-user. In 10 years of use, no security loss of confidential encrypted information has ever occurred. This institution dedicated two of the 10 encryption key slots for global inter-branch transmission. A user uses the USB token to encrypt and transfer data that is needed in another branch.

Canada’s Quebec Provincial auditors, l'Autorité des marchés financiers, are using the eCLIPse system to manipulate laptop based secure data.

Not implemented is Public key encryption or PGP, but may supported on request. Triple DES is banker secure, executes well on older laptops as well proven.. The USB token keys for future algorithm support may vary from 64 bits to 640bits (8 bytes to 80 bytes).

The eCLIPse USB token is validated to security level FIPS 140-1, level 3, from the National Institute of Standards and Technology, USA.

About Encrypted Security Systems

Federal Information Processing Standards Publication (FIPS PUB) 140-2, Security Requirements for Cryptographic Modules, specifies the security requirements that are to be satisfied by the cryptographic module utilized within a security system protecting sensitive information within computer and telecommunications systems (including voice systems).

The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. The security requirements cover eleven areas related to the secure design and implementation of the cryptographic module.

These areas include the following:
1. Cryptographic Module Specification
2. Cryptographic Module Ports and Interfaces
3. Roles, Services, and Authentication
4. Finite State Model
5. Physical Security
6. Operational Environment
7. Cryptographic Key Management
8.Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
9. Self Tests
10. Design Assurance
11. Mitigation of Other Attacks

The Cryptographic Module Validation Program (CMVP - validates cryptographic modules to FIPS PUB 140-2 and other cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE - of the Government of Canada. Products validated as conforming to FIPS PUB 140-2 are accepted by the Federal agencies of both countries for the protection of sensitive information (United States) or Designated information (Canada).

In the CMVP, vendors of cryptographic modules use independent, accredited testing laboratories to have their modules tested. Organizations wishing to have validations performed would contract with the laboratories for the required services.