Charles University in Prague, Czech Republic

Faculty of Mathematics and Physics

BACHELOR THESIS

Andrei Conicov

The Issues of Correct Implementation of ERP System for a Small Company

Department of Software Engineering - KSI

Supervisor: Mgr. Jan Ulrych

Study Program: Computer Science

Field of Study: Programming

2009

2

Na tomto místě bych rád poděkoval vedoucímu této bakalářské práce, panu Janu Ulrychu, za cenné rady, připomínky a podněty k zamyšlení týkající se bakalářské práce. Prohlašuji, že jsem svou bakalářskou práci napsal samostatně a výhradně s použitím citovaných pramenů. Souhlasím se zapůjčováním práce a jejím zveřejňováním. Prague, 22nd May 2009 Andrei Conicov

3

Contents Contents ........................................................................................................................3 1. Introduction...........................................................................................................5

1.1. Motivation.....................................................................................................5 1.2. Current situation............................................................................................5

2. Introduction to Business Processes and ERP Concepts ........................................6 2.1. What is ERP? ................................................................................................6 2.2. What functions should an ERP system provide? ..........................................7 2.3. Advantages and disadvantages of an ERP system........................................8 2.4. Example of ERP based system......................................................................9 2.5. The Ideal ERP System ................................................................................10 2.6. ERP System Implementation ......................................................................12

3. ERP for large companies.....................................................................................13 3.1. Example of ERP system (SAP)...................................................................13 3.2. SAP Application Modules ..........................................................................13 3.3. SAP Topology.............................................................................................14 3.4. Commercial vs. Open Source ERP .............................................................15

4. ERP for SEs ........................................................................................................17 4.1. ERP software requirements.........................................................................18 4.2. Programming language ...............................................................................18 4.3. Modules.......................................................................................................19 4.4. Software deployment ..................................................................................20 4.5. Architecture.................................................................................................22

4.5.1. Services Oriented Architecture (SOA)................................................22 4.5.2. Model-Driven (MDA) and Event-Driven Architecture (EDA) ..........23 4.5.3. Multi-Tier Architecture.......................................................................23

4.6. Operating System (OS) ...............................................................................25 4.7. Data storage.................................................................................................26

4.7.1. Data sharing ........................................................................................27 4.7.2. ERP Database Management System (DBMS) ....................................27

4.8. Network.......................................................................................................29 4.8.1. The Reliability Challenge ...................................................................30 4.8.2. Network Performance .........................................................................30

4.9. Security .......................................................................................................32 4.9.1. Role-based Security ............................................................................34 4.9.2. Protected views ...................................................................................36 4.9.3. Database security ................................................................................37 4.9.4. Network security .................................................................................38 4.9.5. Encryption ...........................................................................................39 4.9.6. Auditing ..............................................................................................41

5. Conclusion ..........................................................................................................42 Glossary ......................................................................................................................43 Literature.....................................................................................................................44

4

Název práce: Problematika správné implementaci ERP systému pro malé firmy Autor: Andrei Conicov Katedra (ústav): Katedra softwarového inženýrství Vedoucí bakalářské práce: Mgr. Jan Ulrych e-mail vedoucího: jan.ulrych@karlin.mff.cuni.cz Abstrakt: Cílem teto práce je popsat architekturu ERP1 systému, definovat úkoly, které má na starosti a zdůraznit rozdíly mezi ERP pro malé i velké firmy. Je důležitě pochopit, že požadavky a možnosti téchto organizací se liší a v důsledku i SW musí být odlišný. ERP systémy jsou složité a ve snaze porozumět jim někdy vysvětluju obecné pojmy, ale týto tvoři bázi klíčových konceptů ERP architektury. Táto práce nemá za cíl popsat konečnou architekturu ERP systému, protože se jedná o velmi složitý SW systém. Jenom analyzuje klientské potřeby a technické možností tak, aby bylo možné vytvořit ERP systém, který bude čelit požadavkům malých podniků. Toto je dosaženo definováním a popisováním pojmů, které by měly být brány v úvahu. V některých případech snažím se nabídnout řešení problémů na které se dá narazit. Klíčová slova: ERP, malý podnik, business proces, softwarová architektura, operační systém, open source, systém řízení báze dat, ochrana, SAP, Oracle. Title: The Issues of Correct Implementation of ERP System for a Small Company Author: Andrei Conicov Department: Department of software engineering Supervisor: Mgr. Jan Ulrych Supervisor’s e-mail address: jan.ulrych@karlin.mff.cuni.cz Abstract: The aim of this paper is to describe the architecture of an ERP system, clearly define the tasks it has to solve and as a result emphasize the differences between ERP for large and small size companies. It is important to understand that the requirements and possibilities of these two types of organizations are different and as a result the SW also has to be different. ERP systems are complex and in order to understand them, in some cases, I explain general concepts, which cover the pivot points of the ERP architecture. This papers’ aim is not to describe the final architecture of an ERP system because it is a very complex software (SW) product. It just analyzes the clients’ needs and the technical possibilities in order to be able to create an ERP system that will face the demands of small enterprises (SE); this is achieved by defining and describing points that should be taken in consideration. In some cases I am trying to offer possible solutions and tips to the encountered problems. Keywords: ERP, small enterprise (SE), business process, software architecture, operating system (OS), open source, network, database management system (DBMS), security, SAP, Oracle.

1 Enterprise Resource Planning

5

1.Introduction 1.1. Motivation

ERP is a short form of Enterprise Resource Planning; is a process that utilizes specific software (SW) applications in order to improve the performance of an organization by integrating aspects of the business, such as planning, sales, manufacturing, purchasing and others. ERP has the goal of improving and streamlining internal business processes [7]. Over the last decades, companies in the worldwide business environment have tried to adopt commercial ERP packages, but because ERP packages were initially designed for large-scaled companies, it is difficult to implement an ERP package according to the small enterprises’ (SE) necessities. After saturating the ERP SW market of large companies, giant ERP SW developers have understood the potential of the SE market and started to develop packages that had to satisfy SEs’ needs. For companies like SAP or Oracle it has not been a problem to create new SW. However, the results are different from the initial visions [16]. This happened because ERP was a term purely restricted to elite class, since it was introduced. Large organizations went ahead with ERP process careless of negative consequences, not to forget mentioning the fact that they took every proactive measure to restructure their business processes. Needles to say that from the beginning Oracle and SAP were interested in serving such large players and as a result SEs think that ERP solutions are not appropriate for them.

1.2. Current situation Vendors of ERP systems now look at SEs as an interesting market, selling the concept of a packaged system that can do everything. I have to lay stress on the fact that they are selling a concept and not an ERP system solution for SEs. Niche companies rely on their peculiarity and their ability to conform to customers’ demands in a flexible manner, while the offered ERP systems may oblige the company to adopt an inflexible structure, threatening the most valuable characteristic of a SE, the dynamic nature. In such a situation SEs should take in account not overspending on HW or SW (“most companies spend too much and get very little in return2”).

2 Larry Ellison, Chairman and CEO, Oracle Corporation

6

2.Introduction to Business Processes and ERP Concepts

Increasingly, corporations are realizing that the customers’ needs may be professionally satisfied only if the business processes are designed and administered to meet those needs. This means that obtaining raw materials, fabricating parts, delivering the final product and many other processes that may exist in a company have to be administrated using one system, which would permit coordinating all the actions with minimum of financial losses. This can be achieved by using modern information systems such as ERP systems. ERP systems are designed to provide the necessary tools for managing all kinds of processes: financial, manufacturing, human resources, distribution, sales, etc.[34] The capability of ERP systems to give answers to queries in a fast way and to eliminate steps that may be automated enables the organization to compete at a higher level. But this can be achieved only if employees learn how to manage processes using the ERP system [4]. Before trying to analyse the structure of an ERP system it is necessary to understand what an ERP system is. In order to accomplish this I will try to answer three questions:

• What is ERP? • What functions should an ERP solution provide? • What are the advantages-disadvantages of an ERP system?

2.1. What is ERP? The term ERP originally referred to the way a large organization planned to use organizational resources. The idea of ERP evolved to SW package that usually uses one database and one interface that offers functions for various departments. Therefore employees across an organization can see the latest information about all kinds of business processes and cooperate in completing business objectives. ERP was originally developed to help in updating the complex processes involved in manufacturing. Before the name was switched to ERP it was called Materials Requirements Planning and some time after Manufacturing Resource Planning [34]. Today ERP is the information system that integrates the whole company and performs the required information processing. This means that the ERP system has to support multiple kinds of operations and that leads to a complex system structure [9]. Likewise, by offering a vast variety of configurable settings the SW complexity and price increases. (“I don't know the key to success, but the key to failure is trying to please everybody.”3) Enterprise management systems have three main goals:

1) Offer methods for an efficient processing of all the companies’ transactions and data in real time mode.

2) Provide methods so that managers could analyze the effectiveness and profitability and as a result make the best decisions.

3) Provide solutions for storing business information and methods for planning, in order to achieve optimum results.

3 Bill Cosby

7

2.2. What functions should an ERP system provide? ERP systems focus primarily on the internal business processes. By providing one database it allows to supervise many administrative functions such as product planning, marketing, sales, human resources, financials, etc. Some SW vendors sell ERP packages that also contain other categories of enterprise SW such as Supply Chain Management (SCM) and Customer Relationship Management (CRM). ERP has the task to improve and streamline internal business processes, while CRM attempts to advance the relationship with customers. It offers the information about customer interactions, for example: technical-support issues or sales orders. SCM seeks to efficiencies the cooperation between the company and its associates: distributors, suppliers, manufacturers and others. Companies have diverse ERP requirements, in this way conditioning the existence of ERP solutions that do not incorporate functions for every department. Companies might wish ERP system limited to a few vital applications that might offer real improvements to the way the business operates. For example, a company could use an ERP system just to integrate finance and accounting with payroll [2]. The reasons may be different, starting from the fact that legacy systems may be able to handle specific tasks in a better way, and ending with the fact that implementing some of the modules may be too expensive or would not bring visible changes. For SEs the possibility to choose which part of the ERP system to implement is very important. Usually business starts with simple financial and process systems, which require a combination of paper documents and electronic spreadsheets. In the process of growing, companies incorporate off-the-shelf SW with features to handle accounting, payroll and some asset management. The transition to ERP is an attempt for a faster growth and improved profits, but this requires careful ERP consideration. There are tens of ERP systems available and a wrong decision can potentially sink a SE. This means that SEs have to implement simple ERP systems that can be extended in future to a more powerful one. Adding new modules to the existing ERP system is cheaper than spending money on a completely new SW. An example of modules from which an SE can choose is presented in Figure 1 ERP system modules. This figure also emphasises the fact that this modules may work independently and it is not necessary to implement them all. The only part that cannot be excluded is the database and the ERP logic that defines how the modules interoperate. In some sources this part is named Business logic. A more detailed description of these modules is provided in the chapter The Ideal ERP System.

Figure 1 ERP system modules

8

2.3. Advantages and disadvantages of an ERP system The usage of an ERP system brings multiple advantages but each SE has to find the area in which the ERP system can indeed make a difference. I will present an example of ERP usage, which is related to improving the ordering process [40]. After starting the ordering procedure ERP provides necessary means for automating some of the steps that are needed for a successful fulfilment. The employer obtains the existing information that may be useful before the order is entered into the system, for example:

• order history and customer’s ability to pay (finance module), • the current inventory levels (warehouse module), • shipping schedule (logistics module).

People in different departments see the most recent and accurate information and according to the company policy can update it. The ERP system automatically routes the order through the required departments and as a result it is possible to track down where is the order at any moment. With luck, the order process moves a lot faster through the organization, with fewer errors than before. ERP can streamline in the same way many major business processes. The old business processes may have not been so efficient, but they were simple. After implementing an ERP system the workers of the company have to work as a team by sharing difficulties. With ERP, the customer service representatives receive the latest information and they have to answer the following questions and make the right decisions: Will the customer pay on time? Will the company be able to fulfil its obligations on time? And these decisions affect the both sides, the customer and the company. But it’s not just about fulfilling the order because people in the warehouse now need to put the stock information online. If they do not, customer service representatives will see low inventory levels and will have to reject new orders. It is hard to estimate the ERP value [10]. If the company uses ERP to improve the way orders are taken, goods manufactured, shipped and billed, it will see value from the SW. If the SW is simply installed without changing the way employers fulfil their duties, it may not bring any benefits. The new SW could even slow down or even destroy the business. Simply replacing the old SW that workers were familiar with, to a new one that no one knows, requires time and money. What is more important, ERP asks the employers to change the way they work. ERP benefits may be summarized as following:

• ERP solutions help minimizing the fees by integrating different systems into one platform and offering one interface to the end users.

• Managers have the necessary information to streamline business processes and workflows by accessing comprehensive reports more easily.

• Data is shared across various departments. Employers can track business processes and adjust their plans as needed.

• Better customer services; higher efficiency and productivity levels. • Lower costs.

Implementing an ERP system usually brings more advantages than disadvantages; here are some of the most common disadvantages:

• ERP systems have to be reconfigured every time the company decides to change their business direction.

9

• Usually the ERP system has to be customised. • The business processes have to be reengineered. • ERP systems can be very expensive and the employees have to be trained. • Sometimes vendors cannot provide a good support. • Sometimes the sensitive information has to be transmitted to support teams.

Usually many obstacles can be prevented if correct investment and analyse is made. Likewise, it depends on the experience and the aptitude of the workforce to quickly adapt to the new conditions.

2.4. Example of ERP based system ERP is a system that evolves facing the requirements of the existing business processes. The evolution is made on two levels: on the quality level and on the functional level. The evolution on the functional level is possible by creating new systems that can interact with the existing ERP system. An example of such evolution is shown in the case of a supply chain [18]. The supply chain management system is constituted by the following systems, which provide specific functions:

• ERP: functions: materials management, purchases and sales; users: trading companies and manufacturers.

• TMS (transportation management systems): functions: order picking, receipts put-away and bin management; users: wholesalers and logistics service providers.

• WMS (warehouse management systems): functions: planning, transport booking and monitoring; users: carriers and forwarders.

These systems can be either standard SW packages with parameter configuration or designed to company’s specific needs. The interoperation of these 3 systems is presented in the Figure 2 Supply chain information system.

10

Figure 2 Supply chain information system [18]

Systems like ERP, TMS and WMS have their strength in the methods implemented for managing elementary business data, such as consumers and sales orders, items and prices, warehouses and bins, resources and work orders, suppliers and purchase orders. Each of the systems has its own database in which these data are stored. The electronic data interchange interfaces between the local systems enable the exchange of information. The detailed explanation of the supply chain system architecture is beyond the scope of this paper and may be found in source [18].

2.5. The Ideal ERP System Many SEs need to change their business processes very often. The ideal ERP system must be able to facilitate these changes; therefore it has to be flexible. Flexibility may be achieved by adopting a feature named modularity, which implies that replacing a module with other system module has to be an easy task [40]. It has to use databases that are interconnected. The databases should store data from various SW modules and offer a fast access to them. The ERP system must be able to support a big variety of functions, which are related to the company business processes and of course it must be designed for a diverse range of companies. The ERP may contain the following modules: Production Planning: This module has as objective optimizing the use of manufacturing capacity and material resources according to the sales forecasting and even by using historical production data.

11

Purchasing: This module streamlines acquisition of required raw materials. This may be achieved by automating several processes, for example: identifying potential suppliers, ordering and billing. For a better result this module may be linked with the production planning and inventory control modules or it may be combined with the supply chain management SW. Sales: This module is responsible for the revenues by implementing functions regarding ordering: arrangement, placement, invoicing and delivery. Also it may be helpful for organizations' ecommerce. Inventory Control: This module is responsible for the stock level in a warehouse. By integrating this module with purchase, sales, and finance modules ERP systems are able to generate accurate executive level reports. Financial: This module is usually the core of many ERP systems. The main responsibility of it is gathering financial data and generating financial reports. Human Resources: This module is responsible for the management of human resources and capitals. This implies keeping useful information about workers [61]. Market: This module supports direct customer notifications, lead generation4 and marketing works. The initial purpose of the ERP system was to efficiencies and streamline business processes. Today exist modules that satisfy this purpose partially though offer new possibilities. Such modules, which must have the chance to cooperate with the ERP system, are: Supply Chain Management: SCM aims to facilitate the cooperation between the company and its associates: distributors, suppliers, manufacturers and others Customer relationship management (CRM ): CRM aims to enhance the relationship with customers. This is done in order to improve services provided to clients and to create better marketing campaigns [2]. Data Warehouse: This is a centralized repository that accumulates data from diverse departments and converts them into a multidimensional data model that supports efficient querying and analysis [43]. Business Intelligence: The BI component helps monitoring the state of the company, providing relevant information, in order to take the best decision. To complete this task BI module offers advanced methods for reporting, predictive analytics, data mining, business performance management, benchmarks, text mining, OLAP5, and others. Today we may find ERP solutions that implement all the described modules. One of them is an open-source SW, developed by Openbravo [64]. The architecture of the Openbravo ERP system is presented in Figure 3 OPENBRAVO ERP. According to [22], “Research shows that even a best application package can meet only 70 percent of the organizational needs.” All this ERP systems require setting hundreds and even thousands of switches in order to meet the company requirements. For example one of SAP ERP system required setting nearly 8000 switches [22].

4 Lead generation is a marketing term that refers to the creation or generation of prospective consumer interest or inquiry into a business' products or services. It can be generated for a variety of purposes - list building, e-newsletter list acquisition or for winning customers. 5 Online analytical processing is an approach to quickly answer multi-dimensional analytical queries. (Background information: http://en.wikipedia.org/wiki/OLAP)

12

Figure 3 OPENBRAVO ERP [64]

2.6. ERP System Implementation Implementing an ERP system is a hard task that requires besides planning and consulting, a long time period (3-12 months or even more) [40]. ERP systems offer an extraordinary large range of tools and for larger organizations that are eager to use many of them it can be extremely complex, requiring changes in the work practices. One of the many decisions that have to be made when implementing an ERP system is deciding who will run the project. Even if the company has an in house IT staff, it is advised to hire consultants. Consulting companies may be a cheaper option, because they have a bigger experience and are trained to implement such systems. The provided services may be classified in three groups: [40]

• Consulting Services – they provide the necessary support in the initial stages, by helping to install, train, and setup the necessary configurations. Also they may help at improving the use of the already installed ERP system.

• Customization Services – they help when the necessity of extending the existing ERP system appears. They also may help at customizing the interface.

• Support Services – they offer support and maintenance of ERP systems.

13

3.ERP for large companies In this chapter I will present some of the existing ERP systems that are used by large companies, in order to facilitate the understanding of a complex solution and provide a reference model in describing the ERP system for SEs.

3.1. Example of ERP system (SAP) The first SW package that comes to mind when speaking about ERP systems is SAP [24] because it is the leading Information and Management Package worldwide. Fortune 5006 companies typically use its original products, but SAP is now also trying to increase its influence in small and medium sized enterprises with its SAP Business One and SAP All in One. The SAP system has gained popularity because it was one of the first systems that incorporated the concepts of ERP and provided a complete solution that included tools for managing: manufacturing, finance, and human resources. In order to facilitate the creation of SAP systems the company used an interpretive language called ABAP (Advanced Business Application Programming) that has syntax similar to COBOL. By using ABAP language customers have the possibility to extend the base functionality of the SW. SAP products are distributed as applications focused on particular business functions, with functional modules inside each application. This is the reason why SAP customers can choose what applications to implement. Also customers may customize SAP applications. However, after changing the code, SAP does not guarantee that it will work as intended, and the customization process is not so cheap. Another minus of customizations is the fact that when the system is upgraded, it is necessary to reconfigure the applications once again, which means spending money. SAP clients can choose from several databases, and each of modules is delivered with a complete schema of hundreds of tables and indexes, but companies rarely use them all. A question may arise: What makes SAP different? One of the possible answers may be found in SAP brochures [24]: “All applications access common data. Real events in the business initiate transactions. Accounting is done automatically by events in sales and production. Sales can see when products can be delivered. The whole system is designed to be real-time and not historical.” But in my opinion the managers have compared SAP with old legacy SW and forgot to compare it with existing ERP solutions from other developers, which normally offer the same functionality. What really makes SAP different is the experience in the domain, that cannot be bought so easily and this is why SAP is a good example to analyse. In the end I have to say that adopting SAP applications requires performing multiple changes to the existing business processes. These changes may be performed only after a deep analyse of existing events and relationships in the enterprise's operations.

3.2. SAP Application Modules The power of the SAP system lies in its ability to integrate different application modules, which utterly form the core of the system. Many companies do not implement all the offered modules but they may be linked in future. The modules are listed below [65]:

6 The Fortune 500 is an annual list of the top 500 U.S. public corporations as ranked by their gross revenue.

14

• Financial Accounting (FI) – responsible for generating reports and management of general ledger and other dynamically defined sub-ledger accounts.

• Controlling (CO) – a management tool that influences organizational decisions, based on the data regarding the flow of cost and revenue.

• Asset Management (AM) – offers instruments for managing and supervising different aspects of fixed assets (purchase and sale of assets)

• Project System (PS) – has the job to ensure that projects are executed efficiently. • Workflow (WF) – combines the existing SAP modules with other technologies,

tools and services offering new possibilities. • Industry Solutions (IS) – offers industry-specific functionality. • Human Resources (HR) – offers tools for managing the personnel. • Plant Maintenance (PM) – offers tools for maintaining the existing equipment. • Materials Management (MM) – supports business operations such as

purchasing, inventory management, distribution, warehousing, of products and materials.

• Quality Management (QM) – offers tools in order to supervise the planning, manufacturing and procurement processes.

• Production Planning (PP) – offers tools for managing the manufacturing. • Sales and Distribution (SD) – helps to efficiencies activities related to sales,

delivery and billing. A more detailed description of these modules is offered in the chapter The Ideal ERP System.

3.3. SAP Topology In order to understand SAP R/3 topology it is enough to analyze the figures: Figure 4 SAP R/3 Architecture and Figure 5 SAP R/3 Layers. From the first figure it is clear that SAP uses three-tier architecture (see Multi-Tier Architecture chapter for more details).

Figure 4 SAP R/3 Architecture

15

SAP is designed to work with a variety of different database management systems (DBMS); some of the supported DBMS are Oracle, DB2 and Informix [8]. Before installation it is necessary to define the DBMS type because the applications have to generate compatible SQL. This is why the DB has its own layer and the system is divided into three layers as shown in Figure 5 SAP R/3 Layers.

Figure 5 SAP R/3 Layers [8]

Another kind of topology is presented in Jfire [60] ERP system, which consists of a server and different types of clients (see Multi-Tier Architecture chapter for more details). Currently the most powerful clients are rich clients. JSP7 web clients exist as well, but they do not offer all of the existing functions. The nice part about this system is that the server may act as a client to other servers therefore different companies may cooperate. Each organization has its own JDO8 data store that offers a high degree of protection and the possibility to exchange data with business partners.

3.4. Commercial vs. Open Source ERP An interesting fact is the existence of open source ERP systems for large companies. These systems are not as famous as SAP or Oracle solutions but an open source system may be a good foundation for a SE ERP system development [21]. It is considered that an open source project that survived more than 2 years is a successful one, and such open source ERP systems exist. Another important fact is that sometimes, open source systems are more secure and are offered in a bigger variety, so the chances to find a solution that will meet specific business requirements are bigger and as a result lesser configurations will be required. The important part is the final price, which sometimes may be very

7 Java Server Pages (JSP) is a Java technology that allows software developers to create dynamically-generated web sites, with HTML, XML, or other document types, in response to a Web client request. (Background information: [59]) 8 Java Data Objects

16

small.

Figure 6 Business open source systems [21]

17

4.ERP for SEs The feature that makes SEs different is that they do not have the same volume of transactions and the variety of business functions is much smaller than in global conglomerates. They typically produce a limited number of products that are usually used as materials by other companies. Large ERP systems may adapt to nearly any business process. However, SEs usually select ERP applications that are specially designed for SEs. This fact is conditioned by three simple reasons:

1. Large ERP systems offer a big variety of tools, but to develop them implied big investments during a long period of time, and in order to offer the best performance it is necessary to use the latest technology; in result they are very expensive.

2. The fact that these ERP systems are very flexible requires a vast configuration process that is time consuming.

3. Creating custom features needs a significant degree of training and time. Besides being relatively inexpensive, easy to use and set-up, small-sized systems need to be easy configurable and preferably have the ability to communicate with other systems that might be used by business partners. This is motivated by the fact that business partners may change the requirements but not always the SE can adapt instantly to them. In order not to loose a business partner, the SE may sub-contract another company that would meet the necessary requirements. This would give time to adapt and return to the business. Such events in the business process require an ERP system that can be configured very fast, or that can be upgraded to a better version. Upgrades to large ERP systems are normally expensive because it takes more time to develop customizations, reconfigure and to test the updated system. With no doubt this is conditioned by the complexity and linkages between modules. Today SEs have the possibility to choose what kind of ERP system to use. A new trend in the domain is the Web-based ERP solution, which allows using a smaller ERP system at a much lower price than a premise-based solution. This is achieved by hiring a provider to host and operate the ERP system. In this way SEs save the cost and bothering of employing extra IT staff that would be responsible for the system. However, this kind of solution has its own minuses. The information can be easily compromised because of two reasons: information is transferred through a network, usually Internet, and also the sensitive information is putted in the hands of a third-party contractor. Another risk is the bad quality of the offered services, not all service providers are mature enough. Of course it is possible to opt for a highly customizable-hosted solution from Oracle Corp. (Oracle On Demand) or SAP (Business ByDesign), but once again these customizations can raise the price at a level that would make it unaffordable for SEs [2]. An alternative to solutions provided by companies as Oracle Corp, Sap, Microsoft and other commercial systems are open-source products. Such products can be customized without the need to pay a licence fee. SEs have to choose what open-source ERP system to implement according to the actual business needs. More information about open source ERP systems may be found in the chapter: Commercial vs. Open Source ERP [2].

18

4.1. ERP software requirements When defining ERP SW requirements have to take in account the features covered by the ERP system and the budget limit, which is always a very big concern, especially for SEs. ERP system requirements may be divided into 5 areas:

1. Application SW - The core business processes that have to be supported by the ERP system

2. Resource Environment – hardware, operating system, network and database 3. Development Features – Programming languages, architecture, security and

future development 4. Maintenance Support – Immediate assistance and long-term support that

consists from development and updates 5. Training Methods – Initial training and long-term improvement of training

From the above requirements the first was analyzed in the chapters The Ideal ERP System and SAP Application Modules. The second and the third requirements are the one that will be analyzed further in this paper.

4.2. Programming language The programming language should not be neglected because of two main reasons:

1. Not all programming languages solve the same problem in the same way and as a result the performance and time spent to write the solution is different;

2. Any ERP system one day will be modified in order to face the needs of the customer and it is important not to waist time on learning the programming language;

The conclusion is that the programming language is one of the focal pieces in the success of ERP good functionality. The question arises: What is the appropriate programming language for an ERP system? The best way for answering this question is to find a language that embraces the following requirements:

• Portability: Language portability is ERPs portability. • Powerful IDE and Application Servers: Makes the development and future

maintaining faster and cheaper. • Community: Diminishes ERP solution cycle time. • New Technology Support: ERP vendor does not need to invest in supporting new

technology since platform supports it. • DB Support: Because ERP is usually DB-centric system, this is extremely

important • Object-oriented: ERP has many layers, millions of lines of code • Powerful Library APIs: Any developer knows that it is better to use a tested

library than invent it once again. It is a waist of time to analyse all the existing programming languages, I believe that the best option is to analyse the programming languages that have been used by the existing ERP developers. Such information may be found in source [11]. SAP R/3 uses proprietary 4GL (Fourth Generation Language - ABAP/4) and PL/SQL from Oracle. Other ERP SW such as Ramco, Oracle and BaaN as well provide 4GL-programming languages. For developers that do not want to learn the 4GL language exist tools that offer the chance to use standard programming languages. On the other hand

19

open source ERP systems at most use Java and PHP, making them compatible with many operating systems. Long time existing ERP developers do not use Java. This is probably influenced by the fact that Java is a relatively young language and they opted for already tested techniques. Java is the language that supports the requirements defined earlier; it has good IDEs; the java community is big and active, as a result many libraries are written and easily usable; many DBMS9 vendors support Java through JDBC10 implementations that are powerful and robust; it is object oriented. The power of the languages provided by Microsoft is in some cases greater then Java’s but the lack of cross-platform support is a real minus. Yet in recent years appeared projects, that offer the possibility to run SW developed for .NET framework on other platforms, including Linux and UNIX. Examples of such projects are DotGNU [6][58] and Mono [62].

4.3. Modules In previous chapters I have presented the modules of ERP systems that are usually implemented in large companies and now I will try to present the modules that are appropriate for SEs. When speaking about the modules that may be required by SEs it has to be taken in account that they do not have to be as complex as the modules used by large companies, but they have to be extensible. The modules that may be required from an ERP system for a small company are:

• Financial • Sales • Manufacturing • Purchasing • Human Resources and payroll

Even if the number of modules is smaller than in existing ERP systems for large companies, some of these modules can be useless to SEs. Small companies normally invest in features that can essentially increase the productivity and the revenue. This is motivated by the price of implementation, which includes time for customising, installing, testing and teaching the personnel. Studies have shown that SEs at first implement modules that support the financial control and reporting processes and then the sales and manufacturing modules [10]. Also these modules shall contain sub modules that could be easily configured. For example the manufacturing module may contain the following sub modules:

• Items • Bill of Materials • Inventories • Product Plans • Production • Outside production

9 A database management system (DBMS) is computer software that manages databases. 10 Java Database Connectivity (JDBC) is an API for the Java programming language that defines how a client may access a database.

20

• Equipments and quality For a better understanding on how these modules may operate I will just present the use case diagram of the Manufacturing module (see Figure 7 Manufacturing use case diagram):

Figure 7 Manufacturing use case diagram [12]

4.4. Software deployment ERP vendors offer a big variety of systems that have different packages of tools; but what is more important they offer different types of SW deployment. For a developer it is important to decide what kind of SW deployment the ERP system will support because on it may depend the design of the whole SW solution. On the other hand, SEs have to select the ownership type according to the financial possibilities, the required level of quality and security. Based on this facts there are three basic deployment types:

• On-premise installation, one-time payment; • On-demand, SW as a service (SaaS), payment per-user/per-month;

21

• On-premise deployment, payment per-user/per-month.

Traditional OnTraditional OnTraditional OnTraditional On----Premise InstallationPremise InstallationPremise InstallationPremise Installation On-site [25] implementations can be acquired by paying one-time licence fee, instead of a monthly fee. The charges are usually stable and should not increase as time goes on. To some companies it offers a better feeling of ownership and security. Of course there can be additional yearly maintenance fees, which are required as a motivation for developers to write updates. It is considered that this type of installation is more cost-effective, if it is used for a longer time period. However, it also requires investing in HW and infrastructure [1]. This kind if installation requires a testing environment that can be used as a backup to the main system. The benefits of an on-premise installation are:

• Fee: One of the most cost-effective if speaking about a long time period. • Data and Security: If the amount of saved data is big, it is better to preserve

control of storage systems. In this way the company is in the control of the security and backups, although this requires additional payments.

• Accessibility: There is no need of using an Internet connection; as a result the level of security is higher. (Although Internet may be used if the components are at a big distance.)

Software as a Service (SaaS) Software as a Service (SaaS) Software as a Service (SaaS) Software as a Service (SaaS) ---- Hosted Option Hosted Option Hosted Option Hosted Option SaaS [51] model was partially described in the chapter ERP for SEs. According to [29], “Gartner predicts by 2010 around 30 percent of new License purchases (In APAC excluding Japan) will be in form of SaaS, or delivered through the SaaS model.” SaaS benefits over an on-premise installation are:

• Fees: No need to pay for installation or additional IT staff. • Automatic upgrade: Accessibility to the latest technology is usually for free. • Trial : Usually the host offers the chance to test the service before buying it. • Security and backup: Is provided by the host, which has to implement its own

security policy. Another option is the SaaS model with a per-user/per-month licence, which has the following advantages:

• Initial cost and stable fees: No major initial payments and contract stipulated monthly fees.

• Functional Scalability: Usually the host offers the chance to acquire additional functionality to the existing package at a low price.

Taking in account the benefits offered by SaaS, I may say that this type of ownership is a good option for SEs, giving the chance to concentrate on core business problems.

OnOnOnOn----Premise Installation perPremise Installation perPremise Installation perPremise Installation per----user/peruser/peruser/peruser/per----month month month month [25] This type of installation offers a mixture of advantages and disadvantages of the SaaS model and traditional on-premise installation. The company pays per-user/per-month and in the same time maintains the ERP system in-house. The benefits are, from SaaS model: initial cost, fee stability and functional scalability, and from the on-premise installation: security and accessibility.

22

It is hard to say what kind of installation type is the best for a SE. As it was said before, large companies consider that in comparison with traditional ERP, they do not have enough ownership over SaaS SW, as they would like. On the other hand, SEs have fewer requirements and may choose from a bigger variety of SaaS solutions, but they have to take in consideration the short and long-term company requirements. The best option for SEs is to find a solution that would give the possibility to move a major part of business operations from SaaS to on-premise, without having to pay big fees.

4.5. Architecture In order to develop a proper ERP system it is necessary to start by designing the system’s architecture [15]. In the world of SW development exist multiple definitions related to system architecture. For obtaining a SW solution that will embrace all the requirements, it is necessary to select and combine different concepts. Further I will explain some of the architectures that may be useful to ERP system developers.

4.5.1. Services Oriented Architecture (SOA) According to [37], “Attempted SOA will cause great successes and great failures of SW projects. Understanding its role and meaning, beyond the simplistic hype, is the imperative for every enterprise software architect.” SOA uses standard protocols and languages to operate and it forms freestanding self-describing units of functional code with published interfaces, which:

• Offer the possibility to use components without knowing the programming language that was used for development.

• Can be linked with other services within a business process. It is important to recognize what Web Services have in common with SOA. In source [37] is specified that: "Web services are about technology specifications, whereas SOA is a software design principle. Notably, Web services' WSDL11 is an SOA-suitable interface definition standard: this is where Web services and SOA fundamentally connect." SOA can be offered in many other ways not only as Web services. After implementing SOA, it is possible to create a single interface and to remove redundant system components. As a result, it works like a network and by using the existing services new business processes are formed in a more rapid way.

The Benefits of SOAThe Benefits of SOAThe Benefits of SOAThe Benefits of SOA The Made2Manage ERP has created a SW solution based on SOA. They motivated their choice saying, “ERP SOA product strategy has many practical applications for small manufacturers”: [46][13]

• Secure IT investments – changing the structure of the business processes or just updating the existing system does not imply paying for a new platform or SW re-implementation.

• Connectivity – provides the ability to communicate with other incompatible systems, as a bridge.

11 The Web Services Description Language (WSDL) is an XML-based language that provides a model for describing Web services.

23

• High quality and fast development – reduces the number of areas within the SW where code must be modified in order to expand the functionality. Therefore, the chance of making mistakes is lower as a result quality assurance is faster.

• Transparent, comprehensible and reusable – it is easy to understand and to find the right usage for each existing service.

• Easy upgrades – only modules that have been modified are being replaced. Of course the given description is wonderful but in some cases much too expensive if we are speaking about a SE that does not need such a complexity, which is mainly conditioned by the need to develop new functionality. However, SEs may use the concepts on which SOA is based: distributed computing12 and modular programming13 [13].When speaking about the modular programming I have to notice the existence of the Model Driven Architecture concept. Detailed information on SOA concepts may be found in sources [31][32].

4.5.2. Model-Driven (MDA) and Event-Driven Architecture (EDA) Model Driven Architecture (MDA) [47] is a SW design methodology, which specifies a platform independent UML [66] model, plus platform specific models that describe how the base model is implemented on particular platforms. Compier [56] used MDA while creating their ERP system in order to enable broader application adaptability, faster deployments, independence of business needs from technological features and lower cost of ownership compared to earlier generation of enterprise SW. An EDA is a template that is used for orchestrating the behaviour of different modules, which are usually named consumers or producers. In this context the event is represented by the message sent from producer to consumer. The benefit of EDA is that it allows multiple asynchronous events to happen in parallel and trigger a single action [33]. Currently giants as SAP and Oracle are working on providing SOA ERP systems but only large companies have the courage to implement them. As a result the concept is not fully tested. In my opinion SEs have to opt for ERP systems that are being created on the principles of distributed computing and modular programming.

4.5.3. Multi-Tier Architecture ERP applications have to satisfy all kinds of requirements, two of which are scalability and availability. This is the reason why ERP applications are very often arranged in a distributed way [9], which may even imply having components at a long distance. Servers may be centralized offering an easier way of managing them, but the clients cannot be centralised and are usually set in a very chaotic manner. If creating a level of abstraction we may divide the whole system into three layers according to areas of responsibility. First, there is the DB – the central repository for all data. Second, the place where: data are inputted, requests for information are submitted, and results are

12 In distributed computing a program is split up into parts that run simultaneously on multiple computers communicating over a network. 13 “Modular programming is a software design technique that increases the extent to which software is composed from separate parts, called modules. Conceptually, modules represent a separation of concerns, and improve maintainability by enforcing logical boundaries between components. Modules are typically incorporated into the program through interfaces.” (http://www.siteworx.com/company/glossary_of_terms)

24

presented. Third, the application that is like a bridge for the client and DB, permitting them to interact. The physical location of this three layers and the way the processes are distributed may vary from one implementation to another. The two most commonly implemented architectures are two-tier and three-tier. Multi-tier architecture is a logical way of dividing the responsibilities, physically all the tiers may run on a single machine.

TwoTwoTwoTwo----tier architecture tier architecture tier architecture tier architecture In classic two-tier architecture, the server is responsible for the DB and the applications. On the client side data are inputted, requests for information from the server are submitted and results are presented. From practice it is known that two-tier architecture is suitable only for small environments, maximum 50 users, as a result it does not offer the necessary level of scalability. The Figure 8 Two-tier architecture provides a schematic view of two-tier architecture.

Figure 8 Two-tier architecture [3]

TTTThreehreehreehree----tier Client/Server architecture tier Client/Server architecture tier Client/Server architecture tier Client/Server architecture Three-tier architectures include three or more interacting tiers, which have their own specific responsibilities. Three-tier architecture is very typical for ERP systems. It satisfies the scalability and availability requirements by separating the DB and application functions. This type of architecture may support hundreds of clients [33]. Another difference in comparison with two-tier architecture is the necessity of creating two or more network connections, in order to satisfy the client requests. The first connection is created when the client starts to communicate with the application server. The second is created between the application server and the DB server. This may influence the system performance. The Figure 9 Three-tier architecture illustrates this type of implementation.

Figure 9 Three-tier architecture [3]

25

• Client (tier 1): is a thin-client that provides the presentation logic (simple control and local user input validation).

• Middle tier server (tier 2): provides the business processes logic and an interface for data access.

• Data server (tier 3): provides the storage space for the DB. As seen in the chapter SAP Topology, SAP R/3 uses three-tier architecture. ERP systems for SEs also can use this architecture because it brings the following advantages:

• The system becomes more flexible and easy to update and maintain. • Higher performance and scalability [52]. • Security measures can be implemented within the application servers without

delaying the clients [3]. Often large companies change the three-tier architecture, by adding all kind of HW, that increases the security and the performance of the system, but it does not change the initial concept.

4.6. Operating System (OS) Selecting the OS on which the ERP system is going to run is very important, because in the majority of cases it is really hard to migrate from one OS to another. When selecting the OS have to take in account the following:

• Price • Support, future development and updates • Security level • Functionality and ease of use • Future trends • Purpose: server or client station

The price plays a small role for large companies. They have the resources plus they receive discounts, while for SE it has to be as small as possible. The price of the OS may include besides the licence price, the price paid monthly for support, administration and HW requirements. It is important to be able to find support regarding the functionality of the OS because even an experienced administrator may need help in some situations. Also have to understand that no OS is 100% perfect and only by updating it, the possible threats may be eliminated. By tracing the future trends it is possible to forecast what OS will get the biggest support in future, and as a result it will not be necessary to make core modifications when a better technology is developed or when the organization needs to implement new functions. The main OS that are used by the existing ERP systems are UNIX, Windows and Linux. Those who opt for Linux expect it will be cheaper, but the fact that Linux is cheaper than Windows is not always valid. For example Red Hat, the largest distributor of Linux, charges $1,500 for part-time and $2,500 for full-time support, per server. However, many large companies use Linux. For example, in the article "Why Business Loves Linux", from Fortune Magazine was mentioned that Linux OS is becoming one of the most popular OS in the public sector and what is more important in business world too. Because of the increasing pressure to save money Linux [53] OS may be the cost-effective alternative to Microsoft products. According to [53], “Companies like Boeing,

26

Amazon.com, E-Trade Financial, DreamWorks, Google and virtually every major Wall Street firm have either finished reconfiguring big chunks of their servers to run Linux or are in the process of doing so.” Linux offers lower labour costs (10-20%) and a significant improvement in the time response. Beside big companies, some of the governments (China, Germany and others) are also analysing the option of using Linux as a way of saving money. The conclusion is that small companies may use Linux for servers and client stations, without paying big sums of money for support, because they do not have complex ERP systems. Many ERP systems use thin clients that can interact with the server using a web browser [11]. Linux for client stations may be configured for a comfortable use and as a result SE will make higher savings on HW and SW. On the other hand have to take in account that programs that run on Windows do not usually run on Linux, still Linux also offers a variety of programs that a SE may need, and which are usually free.

4.7. Data storage Having an ERP system without any data stored has no sense. Such a system is totally useless and represents the opposite of the core meaning of an ERP system. Storing data and then using them is a real science, because it is not enough just to save some information on some kind of storage media, it is important to be able to do it fast and secure. And if this would not be enough, it is also necessary to be able to find the required entry and modify it, in the shortest time possible. Thirst ERP system dates from 1970 and since then the storage technology has been constantly evolving to support the increasing amounts of data and requested reply time. Unlike legacy systems, which used flat files, traditional IBM Indexed Sequential Access Methods (ISAM) and Virtual Sequential Access Methods (VSAM) for saving data, currently ERP systems are used with relational databases [38]. A relational database (DB) contains a collection of data items that are organized from the user’s view in tables. It offers the possibility to create queries on multiple tables and even modify contained data in a very fast way, if compared with other storing methods [48]. For example, an order entry from a DB may include information from a table that describes customers and another table that describes the purchases. If between this two tables exist a logical relationship, a branch office manager might create a report about the list of customers that bought certain types of products. In the same time, a financial service manager may obtain from the same tables a report on accounts that did not pay for delivered products. Besides the fact that it is easy to create and access, a relational DB may be extended with minimum of effort. This means adding a new table or just a column, without loosing the existing data or the need to change the whole structure of the ERP system. As a result it is easier to add functionality to the existing ERP system. The variety of DBs is big and as a result their price and power is different. This is a good news for SEs. In this situation they have the possibility to choose and save money. Further in this text the acronym DB stays for relational database. Large companies usually use mainframes and DBs that have been created to provide the best results when they are brought together. These kinds of solutions are very expensive and SEs should not make such big investments. For a SE it is enough to use a free DB because the size of the saved data is usually a lot smaller and as a result the DB does not

27

need to be so powerful. Also has to be noted that this kind of DBs can be adepts of self-governance (job security thread) and require minimal interference. As a result it is much easier to administrate and the monthly fees go down. Another important fact is that the performance of the DB is highly connected to the design quality, of the application that uses the DB. A higher performance may be obtained by normalizing the DB tables. Also a design issue is creating an abstraction layer that will permit changing the DB technology without modifying the ERP applications. This technique is used by some of the modern ERP systems. For example the open source ERP system Adempiere offers the support for DBs as Oracle and PostgreSQL. The DB independence is a priority technology goal for their project [54].

4.7.1. Data sharing A primary advantage of ERP systems is that they are designed to offer the same source of data in this way creating an easy way of sharing information between multiple employers. DBs bring one more advantage. They offer the possibility to use the ERP system concurrently, still requiring the implementation of logic to solve collision conflicts. Once an employer enters a transaction, data are available for reference and use by other functional areas within the company as well as external business partners. Further are enumerated some improvements in the ordering process that are obtained by using an ERP system with a DB:

• Information on an order is immediately carried into shipping without re-entry. • The customer master record used for entering the order may be used for billing

and cash processing. • The result of shipping automatically updates inventory quantity and the general

ledger, allowing supply chain partners to efficiently implement cost-saving practices like vendor-managed inventory.

Shared data expedite the processing of business transactions for a more rapid response to customer requests.

4.7.2. ERP Database Management System (DBMS) The Database Management System (DBMS) is the place for the daily data transactions and an important resource environment for the ERP system. The ERP DBMS may be considered the most critical element of the entire system. DBMS is the package that offers the necessary tools for manipulating with the DB, as a result DB and DBMS are often considered to be the same. The ERP system should offer the choice of DBMS. This may be helpful in case if the organization has a DBMS already installed but wants to implement a new ERP system. When selecting a DBMS, have to take in consideration the speed, which has to be reliable. The DBMS should support daily transaction volume because slow transactions may be a disaster for the company (ex. Fox-Meyer [40]). Also the data from the DB should be available at any moment for the authorized persons and secure from being accessed by unauthorized persons. This is why the simplest solution is to have one DB that is shared by all processes. Also it has to solve conflicts, such as writing values to an entry by multiple users simultaneously, or writing values that are dependent on the previously read data. This may be summarized as the requirement to support parallelism and consistency.

28

For a better performance the data keyed in and the results of the reports have to be accurate. Also the data redundancy has to be eliminated from the DB. Finally, the DBMS has to have backup and data disaster recovery tools. A backup and a recovery strategy for the ERP DB have to be created. If disasters happen, such as hard disk crash, flood, fire or earthquake the company still can use the DB backup to continue business operations. The recovery strategy should be easy to perform and the downtime has to be as short as possible. The DBMS may maintain a log file of changes that may be used in case of corruption, disaster or for audit. Currently there are some DBMS, which are very powerful in supporting ERP DB requirements, for example: Oracle, MS Sql Server, IBM DB2, PostgresSQL, etc. In this context has to be noticed that ERP systems for big companies usually use DBMS provided by Oracle. However, it is possible to find cases where open source DBMS are used as well. For example NASA uses MySQL to store some of their information; the American Chemical Society uses PostgreSQL to store unique data [35]. The list of free DBMS that might be used by a SE does not contain only open source DBMS; also exist “free” offerings by commercial DBMS vendors such as: IBM DB2 Express-C, Oracle Express Edition (XE), and Microsoft SQL Server Express 2005. From the open source DBMS the most notable are MySQL and PostgreSQL. A comparison table of existing DBMS with technical information may be found in sources [30][57]. In my opinion IBM, which offers the DB2 Express-C DBMS, presents an interesting offer and further I will try to explain why. DB2 Express-C is IBM's free data server that appeared on the market in January 2006 and which offers full functionality [45]. The first thing that has to be noticed, in comparison to MS Sql and Oracle XE this product is really free; without any license charges, with a perpetual licence (no time limits) and it can be used for building applications and deploying them in production in a company. Developers that use this product in building their SW may distribute the SW with a copy of DB2 Express-C without any additional fees paid to IBM. The other “free” products in most cases impose restrictions that have the purpose of catching customers and with time impose the necessity to invest in a full product. For example a frequently type of bound is limiting the amount of data that can be stored. Using the DB2 Express-C the company can store as much data as it wants, while Oracle XE may store maximum 4 GB of data. IBM DB2 has technical restrictions when it comes to the maximum number of instances. Each instance may have maximum 256 DBs with 64000 active users connected to one DB. All these restrictions are similar to the DB2 Enterprise product so it is not conditioned by the fact that it is free. Speaking about the technical part DB2 Express-C limits the maximum amount of resources. It uses maximum 2 CPU and 4 GB of memory from the existing resources. Oracle XE and MS Server Express 2005 have the maximum limit of 1 CPU and 1GB of memory. IBM DB2 is offered in 32 and true 64-bit versions for Linux and Windows, even on Windows XP Home edition, while MS Server can be used only on Windows systems. Oracle XE is offered only in 32-bit version. MySQL and PostgreSQL may also run on Windows and Linux and they also run on FreeBSD and MacOSX [35]. MySQL uses a single DB daemon for access, while PostgreSQL creates a new DB processes at every connection.

29

For companies that are looking forward has to be said that applications developed with DB2 Express-C can be transferred to another type of server for example DB2 Enterprise, without code changes, recompilation, or even configuration. This is probably the main idea of IMB marketing strategy. Another minus may be considered the lack of replication support. However, if a SE has only one server there is no need to replicate. When it comes to backups, all the commercial DBMS offer a variety of tools (ex. Vertias NetBackup, Tivoli TSM, etc.); still not all are free. Open-source DBMS do not offer the same backup support, but exist scripts for simple data text dump and DB schema [35]. Also MySQL and PostgreSQL provide the possibility to create a hot-DB backup, or a backup without shutting the DBMS. They also offer methods for recovering after soft-failures (ex. after power failures). PostgreSQL implements a system called Write Ahead Logging that is used for consistency checking. MySQL also provides consistency checking but only under InnoDB table types [35]. MySQL and PostgreSQL are usually used to operate with hundreds of gigabytes; a fact that may seem to someone a minus when compared with Oracle or IBM DB2 that can manage terabytes, but in the context of SEs this is not so important. SEs do not have so many data that have to be saved in a DB. For example SAP AG in Walldorf, Germany, has 45000 of employees around the world and their Human Capital Management module needs 650 GB for the DB and it runs on IBM DB2 [49]. In comparison a SE cannot have more than 1000 employees. In conclusion I may say that an ERP system for SE may use one of the following DBMS: IBM DB2 Express-C, MySql or PostgresSQL and decrees the invested sum. Having a DB is not enough, important is to design and use it in the right way. This means it is necessary to use all the tools that the DBMS offers, for example: indexes, catching or monitors. Another good practice is to use DBMS stored procedures and functions because they are designed to offer the best performance.

4.8. Network While planning or making changes to a business process the network issues get very often overlooked. “System” developers, which are responsible for sizing the servers and estimating the number of users, it can support, and the “Desktop” developers, which plan the SW architecture and functionality on the client side, assume that the network will handle the application data transfers just like it handles every other application. But this assumption is wrong. ERP applications do not behave just like any other network application [42]. Without no doubt the speed of the ERP system is influenced by the network performance. Almost without exception, the power of the server and client machines is directly proportional with the experienced system performance. But, if the network cannot handle all of the requests put on it by the fast server and clients the system will seem slow. The most common networking standard, 100BaseT, moves data at 100 megabits per second, providing a tenfold improvement over the older 10BaseT standard of 10 megabits per second. But having a fast network is not enough; it is also necessary to try to decrease the network traffic. This may be done by using good network protocols and by balancing the duties performed by the servers and clients. Using a single network protocol is preferred and if it is not required to use other protocols to support other systems on the network, standardizing on TCP/IP or HTTP will

30

minimize problems and maximize performance and flexibility. If it is necessary to use multiple protocols, the best is to keep their number as small as possible and ensure that the protocol stacks are installed consistently around the network. Unused protocols have to be removed in order to eliminate any problem opportunity. The challenge of using multiple types of protocols should not occur in SE ERP systems.

4.8.1. The Reliability Challenge Using an ERP system inside a company implies creating a relatively big network of components that may fail at any moment. If the number of components needed to process a task is big, the chance of failure is higher. For minimizing the chances of failure it is necessary to use redundancy and failover strategies. These strategies may be implemented in different ways, for example: add redundant components, deploy servers in farms, cluster application servers, replicate DBs across data centres, etc. When speaking about networks and reliability have to pay big attention to issues related to SW communication [9]. Components should be able to send and receive data packages accurately and in the fastest possible way. Also it is necessary to ensure that messages arrive to the destination in the same form as when sent, even if they are sent over unreliable networks, or just lost along the way. Of course selecting the right type of network protocols, may solve some of this tasks, otherwise the developer has to provide solutions, which are usually expensive for SEs. The distribution of the application components may have a big impact on the system performance and reliability. In order to obtain a reliable solution the following points have to be taken in account: [42]

• Assuming that the network will handle any ERP application is wrong and it is critical to understand how the application performs on the network before implementing it in an enterprise.

• Before installing any new components (HW or SW) to the existing ERP system, the network has to be tested in order to understand how the component will perform and what impact it will have on other existing components.

• Have to pay special attention to WAN links and LAN with high traffic. • Every ERP deployment is different, having different configurations, architecture

and distribution of computing resources; as a result the network performance is also different in every environment.

• It is necessary to understand the traffic flow (client-to-server and server-to-server) and try to set the location of computing resources for a balanced traffic flow.

The benefits of a design under local conditions may become weaknesses when faced with global conditions. The design has to be based on the interaction distance: within the same process, across multiple processes on a single host, on a LAN, or spread across a WAN. Additional security concerns become evident when appear interactions across a WAN that may be compared to interactions across the Internet, which is considered to be a very insecure place.

4.8.2. Network Performance The performance of an application that intensively uses the network is determined by four main factors: application requirements, interaction style, architecture and implementation of each component [26]. A SW has to pay some basic costs for

31

completing the application tasks. For example, if the application requires that a DB server to be situated on a different machine than the client, and if they have to interact, the SW cannot avoid moving data between the server and the client. Likewise, it is impossible to create a more efficient architecture than its interaction style permits. For example, the cost of numerous interactions to transfer data from DB to client cannot be any less than that of a single transfer from server to client. Interaction style influence network performance and it may be characterized by the amount of interactions per user action and by the size of the transmitted data. As a result a style may offer small, strongly typed interactions that would be efficient in an application that involves small data transfers, but will cause excessive operating costs if the application performs large data transfers. On the other hand, a style that implies coordinating multiple components and transferring big chunks of data will be very inefficient in an application that on average uses small control messages. It is the developer’s obligation to select the right style. Finally, components cannot communicate faster than one of the components can produce or consume data. In Table 1 Number of sends for each transaction is presented the mean time needed to perform the specified transactions for top 5 ERP:

Transaction Client-to-Server Sends

Server-to-Server Sends

Total Sends

Add employee – Two tier 242 N/A 242 Add customer – Three tier 83 411 494 View customer – Three tier 105 455 560 Journal entry – Three tier 179 521 700 Journal entry – Two tier 715 N/A 715 Maintain P.O. – Two tier 768 N/A 768 Maintain Sales Order – Two tier 858 N/A 858 Add Inventory Item – Two tier 988 N/A 988

Table 1 Number of sends for each transaction [42]

Local Area Network Performance Local Area Network Performance Local Area Network Performance Local Area Network Performance In the first test, has been used Chariot14 SW to simulate a 100Megabit LAN and an Add Employ transaction. The results are in the Table 2 Response time on 100BaseT LAN:

Average Response Time Minimum Response Time Maximum Response Time Total Measured Time 6.20390 seconds 5.80800 seconds 6.51000 seconds 62.039 seconds

Table 2 Response time on 100BaseT LAN [42]

Wide Area Network Performance Wide Area Network Performance Wide Area Network Performance Wide Area Network Performance –––– T1 T1 T1 T1 Next, has been used The Cloud15 SW to simulate a transaction over a T1 link. The same test yielded the results presented in Table 3 Response time for T1 WAN:

Average Response Time Minimum Response Time Maximum Response Time Total Measured Time 10.46050 seconds 10.01400 seconds 10.71600 seconds 104.605 seconds

Table 3 Response time for T1 WAN [42]

14 Chariot from Ganymede Software Inc. is a network management system. 15 The Cloud from Shunra Software Ltd. is a WAN simulator.

32

So the results jumped from 6.2 seconds on LAN to 10.5 seconds on the T1. That may be an acceptable result, but if we take in account that the T1 line was used only by one user and in reality the network is shared and each user gets a small part of the total available capacity, that may be a very poor result. Therefore 10.5 seconds are theoretically possible, but in reality users will have to deal with bigger delays.

Wide Area Network Performance Wide Area Network Performance Wide Area Network Performance Wide Area Network Performance –––– 56Kb 56Kb 56Kb 56Kb In the third test, was simulated the same operation using a 56Kb link, the results are in Table 4 Response time for 56Kb WAN:

Average Response Time Minimum Response Time Maximum Response Time Total Measured Time

38.95420 seconds 38.56100 seconds 39.55800 seconds 389.542 seconds Table 4 Response time for 56Kb WAN [42]

Have to notice, that in this simulation, just like in all others, only one user used the link. After analysing these tests results we can understand how different may be the transaction time in different types of networks. The network transfer time has climbed from 6.2 seconds to 39 seconds. In conclusion I can say that a network-based application will produce better results by not using the network [26]. This may sound bizarre, but in reality this helps implementing efficient architectural styles, because the most efficient architectural styles for an application that operates in a network has to effectively minimize the use of the network, through reuse of previously received data (caching), minimizing the number of transmitted packages in relation to user actions (replicated data and disconnected operations), or by minimizing the distance between the place were data are processed and the data source.

4.9. Security The security is an important issue for any information system, especially for a SW that is dealing with personnel information and payments. In the year 2004 were published the results regarding different business losses that occurred in result to fraud or duplicate payments. The studies have shown that business loss from SW fraud was 3-6% and the average of submitted duplicate payments equalled to 2% of enterprise total accounts payable. Of these duplicate payments, 10% were never recovered, which leaded to total losses equivalent to 0.2% of total accounts payable [17]. Another aspect of the security problem may be the necessity to protect the information from unauthorized use, because rival companies may use the internal information in their own interests. Security components usually are not cheap and what is more important, hard to implement and maintain at the required level. This is why the company has to understand the value of the information that it possesses. When calculating it, the company has to take in account the following facts:

• The price for restoring the lost information • The sum of money lost because improper functioning

Has to be noticed the fact that a SE from the start may invest money just in some basic security tools but it has to have the possibility to extend the existing solution to a more secured one, with minimum of changes.

33

SEs should opt for preconfigured solutions, because they are easier to audit and to implement. An important fact about preconfigured solutions is that when being updated it is not necessary to configure them once again. Even large companies have problems implementing the security components because it is a process that needs time. The security of the ERP system can be thought of as a pyramid (see Figure 10 Security pyramid). The base of the pyramid is the physical security of the HW, the machine and the off-line storage media. The SW developers cannot influence physical security. Responsible for this layer is the company that buys the ERP system. The only thing that a developer can do at this level is give a list of general advises on how the physical security can be maintained at an adequate level. The last affirmation is valid for large and small companies. The second layer deals with the OS but again the developer cannot influence directly the security of the OS. However, he can limit the list of OS on which the ERP system is supposed to operate. This may be done by writing in the SW specification the list of OS that are recommended by the developers. If the organization that uses the ERP system is not following the developer’s recommendations, then the developer is not responsible for the damages; once again this is valid for organizations of any size. The third layer focuses on the security SW. This component may have to be included in a mainframe environment by installing a security product such as ACF216 or Top Secret, or it may be included in the OS such as in the UNIX-like or AS/40017 environment [38]. The purpose is to secure the kernel, the privileged state, and to address spaces of the OS and the HW. It also ensures that ERP systems do not directly access the OS and the HW, which is the cornerstone to any secured OS. In the case of big companies it is clear that buying such a SW is not a problem, on the other hand SEs that have a smaller budget can choose from:

• Buying security SW, • Using a freeware security SW, • Using an OS that may be freeware and that supports the security requirements.

These three layers contribute to the security of the computing environment and are covered in detail in AS/400, NT, UNIX, Auditing and Security and DRP18. The detailed description of the above topics is beyond the scope of this paper.

16 ACF2 (more formally, CA-ACF2; the ACF stands for Access Control Facility) is a set of programs from Computer Associates that enable security on mainframes. ACF2 prevents accidental or deliberate modification, corruption, mutilation, deletion, or viral infection of files. 17 “The AS/400 - formally renamed the IBM iSeries, - is a midrange server designed for small businesses and departments in large enterprises and now redesigned so that it will work well in distributed networks with Web applications. … Its OS is called the OS/400. With multi-terabytes of disk storage and a Java virtual memory closely tied into the OS, IBM hopes to make the AS/400 a kind of versatile all-purpose server that can replace PC servers and Web servers, competing with both Wintel and UNIX servers.” [55] 18 “Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure.” ( http://www.answers.com/topic/disaster-recovery)

34

Figure 10 Security pyramid [38]

In order to make the last two layers, the relational DB and the ERP system, more secured it is necessary to understand the following points:

• Role-based Security • Protected views • DB Security • Network security • Encryption • Auditing and security

The choice of how restrictive or open the security policies are has to be in the company’s control. This is why security policies have to be extremely flexible and should be defined without programming. Only by providing a complete application-level security infrastructure, which will support: authentication, roles, data security, encryption, auditing, etc.; it will be possible to implement effective security policies that will protect valuable data from unwanted access, while the trusted employees will be able to do their jobs effectively. I have to notice that when the environment is secure, the ERP will enhance the financial and operational integrity of sensitive transactions, if not, the reverse is inevitable.

4.9.1. Role-based Security Security is important for most companies, because each person that interacts with the system may represent a threat. In the same time it is impossible to forbid interaction. For example, not all employers are allowed to make purchases without approval from the manager, but the manager cannot make all the time purchases in the workers name. The first fact to be noticed in this context is that each user has to have a user account for authentication [14]. Next it is necessary to implement a way so that workers will be able to do only what they are permitted to do. This can be done by specifying what a given

35

user is allowed to do, but this can be a nightmare, because if there are 100 workers in the company, permissions must be set up 100 times [14]. The best way to solve this problem is by introducing roles. The use of roles has a good history and is used by many kinds of SW. For example, an SE may have two sale managers, and by making a role called SaleManager and setting up al the required permissions it will not be necessary to separately add the same access rules for the two sale managers. In this way it is possible to reduce the number of permissions that must be set up and lower the administration costs and the number of possible administration mistakes. The system may use inheritance model, which may facilitate granting or revoking privileges according to role. Roles may be general or specific within an enterprise. For example, all the employers may have the permission to view the price list, and only the chief manager may change the final prices. One user can have multiple roles, for example a user is assigned the ORDER_VIEW and also the ORDER_UPDATE_PRG role, which permits him to update order information for the facility PRG. As a result the user will be able to view all the orders, but will be able to update only orders for PRG facility. Yet this kind of role-based security is still hard to maintain, if the ERP system has many modules. Each module has to have its own roles attributed to different users and as a result a big table of permissions has to be maintained. The developers of ERP5 system have proposed an interesting solution to this problem, the 5A security model which results in a reduced number of roles and a clear vision of the security system [44]. 5A stands for Author, Auditor, Assignor, Assignee and Associate. The idea is that these 5 roles increase by 5 times the number of possible permissions by creating combinations. More important is the fact that it is possible to define permissions regardless of modules (generic). In A5 security model the administrator has to maintain a single list of roles that from default are not associated with any module or user. If it is necessary to give access to a user to a module, he is associated with the required local role. Local roles are effective only for a specific object, and because the number of generic roles is limited the complexity of the security problem is smaller. Before describing the 5 roles have to notice that security is divided into two parts:

• The first one defines user rights (roles) after successful logging in. • Second one defines privileges with which the user has to be granted in order to

obtain generic roles to given object (in ERP5 nearly everything is an object: modules, settings, categories, etc).

5A security model contains the following generic roles: [44] • Author can make new documents without the possibility to view/modify other

documents. Suppose an employer that creates sale invoices and usually may not do anything else with them is an author.

• Auditor is allowed just to view documents. Suppose sales people who just should know all products in the company are auditors but not authors.

• Assignor has the permission to do all tasks; this implies assigning users as assignees of documents. This is used for manager positions.

• Assignee is supervised by the Assignor. For example, an employer can be defined as Assignee for documents related to a specific customer.

36

• Associate is authorized to perform operations in a document if another related document is assigned to him. Suppose a worker is dealing with a sale order and needs to know the customer, but the company policy forbids disclosing such information. If the worker receives the associate generic role he can access the required customer information only if he is an assignee to a sale order, related to the customer.

Also, ERP5 uses the role Owner that was inherited from Zope19. By using this role the employer that creates the document is the owner. For example, based on this role it is possible to give to the author the permission to view the document. In the Figure 11 Security match in ERP5 is illustrated how the role-based security works in the ERP5 system. The user has been assigned to two categories: MA_CS and MA_CS_WA, where MA could stay for “Manager” and CS for “Customer Service”. As a result the user can be the auditor of the object.

Figure 11 Security match in ERP5

Upon successful login, the role information is used to create the objects that the user is permitted to interact with: menus, windows, reports etc. Important is that each company has special requirements thus roles do not work out of the box.

4.9.2. Protected views Apache OFBiz20 proposes another interesting mechanism for protecting information that may be used to prevent data leakages that may occur as a result of compromised login information. It works like the greylist anti-spam (“temporarily reject”) feature. It's pretty simple to use. It is possible to add a menu entry Protected Views [63] in which will be possible to define:

• The object, • View name attribute, • Maximum number of interactions per period,

19 “Zope is a free and open-source, object-oriented web application server written in the Python programming language.” http://en.wikipedia.org/wiki/Zope 20 “Apache Open For Business (Apache OFBiz) is Open Source automation SW that is an Apache Top Level Project, that comprises a mature suite of enterprise applications that integrate and automate many of the business processes.”[63]

37

• Duration during which the interactions are considered, • Duration during which the object will not be accessible.

There is nothing else that has to be defined in order to make the protected mechanism work. A possible option for the “protect” response, in case of blocked screen, may be rendering blank by default.

4.9.3. Database security Security issues related to the DB security are nearly the same as the OS security problems:

• Physical integrity of DB – resistance to power fall, recovery from damages. • Logical integrity of DB – the data structure and relations must be preserved. • Elementary integrity of DB – the data contained in each entry have to be correct. • Access control – information on whom and how can access data from DB. • Auditability – information about who and how accessed data from DB. • Authentication – every access to the DB has to be positively identified. The

DBMS has to know to whom it is answering because it usually runs as a client process and does not have reliable connection to OS.

• Availability – users may access the data from DB at any moment according to given access permeations.

The system has to guarantee that only authorised users can do changes to the data. The DBMS has to offer the possibility to reconstruct some previous DB states. This can be done by using transactions log [5]. However, even when an authorised user makes changes to DB data, there is a chance of making a mistake and the DBMS should intercept such mistakes. This may be done by:

• Checking if the format of the entered data is correct, for example if it is a name or a number,

• Implementing a mechanism that will check if the user is authorised to make the changes,

• Implementing a mechanism for solving collision situations, • Saving the list of changes that would contain the initial and the new entry.

It is important to know how users manipulated with data from DB not only for checking if the changes are correct but also for long term monitoring, by which it is possible to track and eliminate suspicious activities [36]. For example, by using a set of indirect requests the user may find the value of an entry. For preventing this it is necessary to select the adequate granularity (blocks, entries, or items).

Reliable frontReliable frontReliable frontReliable front----end (guard)end (guard)end (guard)end (guard) Only some DBMS security requirements are offered by native DBMS, this is why it is necessary to use a front-end system as a supplement for the DBMS [36]. The user has to authenticate to the front-end system, which collects requests from him. After receiving the request the front-end system checks if the user has the necessary access level and forwards the request to the DBMS. In the end, before sending the result to the user, the front-end system performs result checking and classification. DBMS accesses the DB using a reliable access controller. An illustration of the above explanation is in Figure 12 Reliable front-end (guard).

38

Figure 12 Reliable front-end (guard) [5]

In chapter ERP Database Management System (DBMS) have been compared commercial and open source DBMS and in this chapter I have to add that Oracle offers a higher security level then IBM. This is conditioned by the fact that IBM has neglected the security issues and now sells additional security packages; on the other hand Oracle has the security built in [30]. By using an ERP system as an interface to the DB, users do not have direct access to the sensitive data. Therefore the ERP system is an extra level of protection that does not permit unauthorized editing of data.

DB Security offered by OSDB Security offered by OSDB Security offered by OSDB Security offered by OS DB systems are programs and files. This is the reason why they are partially protected by the OS security mechanisms: file security, authentication checking, backups, integrity tests at the OS level, etc. Have to notice that the described above mechanisms are not absolute. For example they cannot always stop an authorised user from entering wrong data.

4.9.4. Network security ERP systems are distributed systems and by design this means that components have to communicate in order to offer a good result, but when they communicate over a network, there is a big chance for that communication to be disclosed [9]. The potential for this problem increases when this communication uses large networks or the Internet. There is always a chance that malicious SW may try to monitor the network activity in order to retrieve sensitive data. This is why it is necessary to implement security standards and measures, with which will comply all the involved components. Network vulnerabilities may be grouped into three broad categories: [28]

• Availability – The network may become unavailable for many reasons, but the result of such a failure may be a serious damage to the business.

Solution: This vulnerability cannot be eliminated 100% but good network architecture and monitoring can decrease the probability to an acceptable level. The design of the network has to ensure that redundant paths are available and that routing may switch the traffic to the available paths, without loss of data or time. Monitoring should offer information needed for removing the bottlenecks and facilitate routing data in the best possible way, and as a result provide the required speed.

• Interception – This is one of the biggest vulnerability because often it is necessary to send data through equipment that is controlled by third parties.

Solution: In my opinion it is unwise to try to obtain a good physical protection [14] because the distribution of the system may easily change and this would involve at least spending money on new security tests. Another reason may be the increasing use of wireless connections. The most effective measure is implementing encryption algorithms, which may operate inside the application or a device such as a router, switch and

39

multiplex. Likewise, may be used digital certificates and signatures. VPN21 is an example of a tunnel through which encrypted data are transmitted over different kinds of networks.

• Access/entry points – A weak entry point may offer to an intruder the possibility to gather sensitive information.

Solution: The main idea is to limit the type of traffic that can pass through the entry points (for ex. HTTP). Also can be implemented a list of addresses/computers that are allowed to communicate with the system. Such rules may be implemented using firewalls and access control lists in rooters. Also it is necessary to use an antivirus and other intrusion detection systems, which would take corrective actions. Has to be noticed that in the case of SEs the network security does not has to be, as strong as in big companies. The reason is simple: the value of the information usually is smaller and the network structure is simpler. However, the network security should protect from unwanted intrusions and network falls because this is a common threat not only for companies but for ordinary users as well.

4.9.5. Encryption Often it is necessary to transform the information, that passes through the network or that is saved to the DB, so that only authorised people could operate with it. This can be done using one of the existing encryption algorithms. SEs and big enterprises have different requirements regarding the amount and type of information that has to be encrypted. When deciding what kind of encryption to implement in the ERP system for a SE, it is important to take in account all pluses and minuses of the encryption algorithms, used by big enterprises. In this context has to be noticed that some sophisticated ERP systems, offer the possibility to choose the desired security level (for ex. SAP R/3). Further I will explain different encryption concepts that may be useful when implementing an ERP system. Encryption technology has to be used if any of following is required: Confidentiality —assures that transmitted information is protected and undisclosed. In order to assure confidentiality may be used symmetric algorithms or asymmetric algorithms. Data integrity—assures that the received data are the same as the sent data. This can be achieved by using digital signatures and hash algorithms. User authentication—offers the necessary tools for proving the identity of a user, server or entity. This can be achieved by using asymmetric cryptography, through testing knowledge of the secret key. No repudiation—assures that the received data are not changed and are sent by the alleged person. This is usually used for electronic payments and commercial documentation. By implementing no repudiation it is possible to prove (even in law court) that the assumed person is the real sender. No repudiation may be implemented using a digital signature for short messages, but very often are used combinations of message authentication codes (MAC) and digital signatures. When implementing an encryption algorithm it is necessary to select the best deployment of the encryption process. In this context it is necessary to select between two options:

21 Virtual private network

40

• Data are maintained encrypted in the DB and are sent to the client in encrypted form, where it is decrypted. This method may be very secure at its source.

• Data are maintained unencrypted in the DB and only encrypted when they are transported. This method appears to be less secure than the first one and as a result it is necessary to implement compensating controls. On the other hand, if data are constantly modified, the encryption at the central repository may slow the system.

In my opinion the best is to keep encrypted backups of DB data and for daily use store in DB unencrypted data. Exist numerous products that may be used to encrypt and transport data; some of the most known are: secure electronic transactions (SET), secured shell (SSH), secure sockets layer (SSL), and secure multipart internet mail encoding (S/MIME) [50].

Cryptography typesCryptography typesCryptography typesCryptography types Symmetric key cryptography [50] (secret key) for encrypting and decrypting data the same key has to be used. This type of encryption is faster than asymmetric encryption, but in order to share the information with authorised people it is necessary to distribute the key. Examples of modern and well-known symmetric algorithms are DES, Blowfish, Serpent, Twofish, CAST5, IDEA, 3DES and AES [5]. Asymmetric key cryptography (public key) requires a pair of keys; one key is used for encrypting the message, which can be decrypted only using the second key. One of the keys is public, accessible to everyone, and the other key is private, accessible only to the owner. When someone wants to send a message to the user, he has to encrypt it using the offered public key. After that only the holder of the private key can decrypt the message. Examples of asymmetric key chippers are Diffie-Hellman (DH), DSS (Digital Signature Standard) and Rivest-Shamir-Adelman (RSA [5]). Also by using this algorithm it is possible to sign the message. If the sender encrypts the message with his private key, everyone can decipher it with the sender’s public key, but only the holder of the private key can make changes to the message, in this way guaranteeing its integrity and authenticity. Asymmetric algorithms are usually slower then symmetric [50]. One-way hashes (one-way cryptography) this method encrypts data in an irreversible way. One-way hashes use hash functions, as a result it is not possible to derive the initial data from the generated hash. Usually this type of encryption is used for encrypting passwords. Examples of one-way hashes are MD5 and SHA-1. If the key is lost it is impossible to recover the encrypted data. Has to be noted that one-way encryption provides a higher level of security than a two-way hash (Symmetric and Asymmetric cryptography). The major risk associated with two-way hash algorithms is that the encryption keys may be weak; as a result it would be easy to decrypt sensitive data. On the other hand, if the DB is corrupted, encrypted data can be quickly recovered. This is why additional controls have to be implemented. To ensure that the encryption key is strong enough and fully secured, it has to be changed more frequently. SEs the same as big companies, have to use one or some of the above encryption methods in order to secure the owned information. Once again SEs have the benefit of owning cheaper information and as a result may implement cheaper encryption algorithms. On the other hand, even if the SEs may evaluate their information as of no interest to any

41

other company, in some countries according to law, they are responsible for the information regarding clients’ and employers’ personal data. In my opinion encryption technologies are usually cost effective.

4.9.6. Auditing Auditing is an additional layer of protection that offers the necessary information for improving the ERP system security level. Any ERP system should provide the ability to audit system changes [27]. Starting from administrative changes, such as changing the security role of an employer and ending with simple DB entry changes or queries. In previous chapters were described some of the ERP system components that require monitoring, and auditing should offer the necessary tools for analysing the gathered data. In this context it is important to decide in which way the monitored data will be saved. After analyzing other ERP systems, I may say that the most common way of saving such data is by storing them in the ERP DB. The reason is simple: security data are voluminous and by using an existing DB it is easy to create queries and it is note necessary to invest money. For example, SAP has a table USR02 (“Logon Data”) that contains information regarding user access. Using this table (field TRDAT) it is possible to detect inactive user IDs that may be excluded. Likewise, a high percentage of unused user IDs may indicate that something in the system is not working as intended. For example the big number of unused IDs may be caused by the fact that access rights are not removed after employers retire. Also this kind of data may indicate if the system is effectively used and may raise the need of training the employers [39]. Adding data to this table is very easy to implement, for example developers may use triggers. Another important benefit that can bring auditing is the opportunity to identify possible cost savings. For example it is possible to find out if the number of owned licenses is not bigger than the necessary one. Auditing must also focus on identifying data that have to be encrypted and the persons who need access to this data [41]. Auditing of encryption systems should be based on the known vulnerabilities and should protect data at the level required by management.

42

5.Conclusion I believe that I managed to answer the main questions that have been raised by the theme of this paper. I have to agree that this paper represents a small part of the information that is necessary for a team of developers to write a full ERP system, but the time limit, lack of space and experience, did not permit me present all the information I have found. However, I consider that the described topics can be very useful in the launch stage of developing many types of SW. For me this paper represents a few more steps that I made towards my future SW project, which also will be orientated on providing tools for managing business processes, but on a smaller scale. In this paper I managed to concentrate on enumerating, and what is more important, on describing the components that in my opinion are essential for an ERP system. In order to do this I had to start from identifying the up to date problems that an ERP system has to solve. At this phase of my research I have identified that it is necessary to solve business and IT problems. The business category mainly includes problems related to functional tasks, while the IT category is very diverse. It starts from simple problems, such as selecting the right programming language and end with more complicated, such as the necessity to assure security and extensibility. In the next phase I analysed the existing commercial and open-source systems and then proceeded in searching the best solutions to the IT problems. While analysing I understood that currently designing an ERP system requires decomposing the existing systems and taking the best from them. This was not possible before, since the few solutions that existed on the market where not mature enough. Also the tasks solved by the ERP systems before are different from the current, and what is more important, currently the life cycle of an ERP system is shorter, therefore requiring new approaches. This is why I examined concepts as: SOA, MDA, EDA, SaaS, etc. Regarding the difference between ERP systems for SEs and big enterprises, I believe it is clear that they cannot be the same and the development of such a product for a SE requires a different approach. This may include a different type of deployment, DBMS, OS, security policy, functionality, etc. In my opinion, in this case, a different approach does not mean offering an inferior solution; on the contrary, the developed ERP system would be valuable and available to SEs. Still the approach should not be totally different, because all enterprises have things in common and the ERP system is just a tool that facilitates administrating them.

43

Glossary BI Business intelligence CRM Customer relationship management DB Database DBMS Database management system EDA Event driven architecture ERP Enterprise resource planning HW Hardware LAN Local-area network MDA Model-driven architecture OS Operating system SaaS Software as a service SCM Supply chain management SE Small enterprise SW Software TMS Transportation management systems WAN Wide-area network WMS Warehouse management systems

44

Literature [1] Alexandru Chiuariu, “Gartner Analyzes Five Popular SaaS Myths”, feb 2009,

(http://news.softpedia.com/news/Gartner-Analyzes-Five-Popular-SaaS-Myths-105076.shtml), Polled 10 Mar 2009

[2] Amy Hengst,“ERP FAQ”, oct 2007, (http://www.insidecrm.com/features/erp-faq-102907/), Polled 10 Mar 2009

[3] Ariel Ortiz Ramirez, “Three-Tier Architecture”, Jul 2000, (http://www.linuxjournal.com/article/3508), Polled 22 Mar 2009

[4] Avraham Shtub, 1999,"Enterprise Resource Planning (ERP): The Dynamics of Operations Management", 1999, ISBN 0-7923-8438-5

[5] Beneš A.,“Ochrana informace 1- NSWI089”, “Ochrana informace 2- NSWI071”, courses 2008

[6] David McAmis, “Running .NET on Linux with DotGNU”, 2004, (http://www.builderau.com.au/program/dotnet/soa/Running-NET-on-Linux-with-DotGNU/0,339028399,339130565,00.htm), Polled 10 Apr 2009

[7] Bruce Zhang, 2005-03-08,“ERP Definition - A Systems Perspective”, 2005 [8] Donald K. Burleson, “Oracle SAP administration”, 1999, I edition 1-56592-696-

X, (http://oreilly.com/catalog/sapadm/chapter/ch01.html), Polled 10 Mar 2009 [9] Eric J. Bruno, “Defining the ESB”, Jul 2007,

(http://www.ddj.com/java/201200303?pgno=1), Polled 22 Mar 2009 [10] Gustaf Juell-Skielse, "ERP adoption in small and medium sized companies",

Licentiate Thesis, Department of Computer and System Sciences Royal Institute of Technology Stockholm, Sweden 2006

[11] Christian Hager, “Open source software for product tracking”, thesis, (http://www.linuxuser.at/downloads/OpenSourceProductTracking_Hager.pdf), Polled 10 Apr 2009

[12] Jae-won Park, Nam-Yong Lee, "A conceptual model of ERP for small and medium-size companies based on UML", May 2006, IJCSNS, Vol. 6 No 5A

[13] Jagadish Chatarji, “Introduction to Service Oriented Architecture (SOA)”, oct 2004, (http://www.devshed.com/c/a/Web-Services/Introduction-to-Service-Oriented-Architecture-SOA/), Polled 22 Apr 2009

[14] John E. Humphries Jr., “Preventing EFT Fraud", 2003, CISA, CISSP, GSEC Volume 4, (http://www.isaca.org/), Polled 1 May 2009

[15] Jon Siegel, “OMG's Model Driven Architecture”, Oct 2002, (http://www.sdtimes.com/link/26807), Polled 1 May 2009

[16] Kai A. Olsen, Petr Satre, "ERP for SMEs - is proprietary software an alternative?", Molde university college, (www.himolde.no/~olsen/artikler/P81CompletePaper.pdf), Polled 19 Mar 2009

[17] Mark Van Holsbeck, Jeffrey Z. Johnson, “Security in an ERP World”, (http://www.net-security.org/article.php?id=691), Polled 28 Mar 2009

45

[18] Martin Verwijmeren, "Software component architecture in supply chain management ", Feb 2004, Volume 53, Issue 2, Pages 165-178, (http://www.sciencedirect.com/), Polled 7 Mar 2009

[19] Omar Malik, Syed Abdul Basit, "Planning and analysis of knowledge intensive enterprise resources planning systems", 2008, Master thesis Computer Science, Thesis no: MCS-2008-3

[20] Paula J. Hagan, The MITRE Corporation, "Guide to the (evolving) enterprise architecture body of knowledge", 2004, MITRE Corporation (Draft)

[21] Petr Novak,"ERP systém open source?“, Nov 2008, Magazine IT Systems, (http://www.systemonline.cz/erp/erp-system-open-source.htm), Polled 2 Mar 2009

[22] Prasad Bingi; Maneesh K. Sharma and Jayanth K. Godla, “Critical issues affecting an ERP implementation”, 1999, Information Systems Management, Vol. 16 Issue 3, p7, 8p, (http://carl.sandiego.edu/gba573/critical_issues_affecting_an_erp.htm), Polled 2 Mar 2009

[23] Pressman R., "Software Engineering: A Practitioner's Approach", Jul 4, 2000, 5 edition, ISBN: 978-0077096779, McGraw-Hill Higher Education

[24] Rai University, Management Information Systems, UNIT VI Lesson 39,“Tutorial on ERP Packages and Software’s; A Short SAP Tutorial”, (http://www.rocw.raifoundation.org/management/mba/mgmt-of-Information-system/lecture-notes/lecture-39.pdf), Polled 2 Mar 2009

[25] Rebecca Haviv, “ERP Fees & Installation Alternatives”, Oct 2008, (http://eshbel.wordpress.com/2008/10/26/erp-fees-installation-alternatives/), Polled 28 Mar 2009

[26] Roy Thomas Fielding ,“Network-based Application Architectures”, 2000, Dissertation, (http://www.ics.uci.edu/~fielding/pubs/dissertation/net_app_arch.htm), Polled 22 Mar 2009

[27] S. Anantha Sayana, “Auditing Security and Privacy in ERP Applications”, 2004, CISM, CISA, CIA, Volume 4, (www.isaca.org), Polled 20 Apr 2009

[28] S. Anantha Sayana, “Approach to auditing network security”, 2003, Information System Control Journal, Volume 5, (www.isaca.org), Polled 20 Apr 2009

[29] Shivani Shinde, “Software as a service: it’s here at last", (http://www.expresscomputeronline.com/20061204/market01.shtml), Polled 10 Mar 2009

[30] Somayeh Dodge, “Evaluating different approaches of spatial database management for moving objects”, (http://www.gisdevelopment.net/technology/gis/me05_021b.htm), Polled 1 May 2009

[31] Surekha Durvasula, Martin Guttmann, “SOA Practitioners’ Guide Part 2: SOA Reference Architecture“, 2006, (http://www.soablueprint.com/whitepapers/SOAPGPart2.pdf), Polled 10 Mar 2009

46

[32] Surekha Durvasula, Martin Guttmann, “SOA Practitioners’ Guide, Part 1: Why Services-Oriented Architecture?”, 2006, (http://www.soablueprint.com/whitepapers/SOAPGPart1.pdf), Polled 5 Apr 2009

[33] Szitas Z., "Technical requirements in enterprise resource planning systems", 27th Int. Spring seminar on Electronic Technology, (http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=01490857), Polled 10 Mar 2009

[34] Thomas F. Wallace, Michael H. Kremzar, John Wiley & Sons Inc, "ERP: Making It Happen", 2001, ISBN 0-471-39201-4

[35] Tim Conrad ,“PostgreSQL vs. MySQL vs. Commercial Databases: It's All About What You Need”, (http://www.devx.com/dbzone/Article/20743/1954), Polled 10 Mar 2009

[36] Ulf Mattson, "Best practices in Enterprise database protection", 2007, (http://www.seouc.com/Presentations/Best_Practices_Mattsson.pdf), Polled 10 Mar 2009

[37] Yefim V. Natis, "Service-Oriented Architecture Scenario", Apr 2003, ID-Number:AV-19-6751, (http://www.gartner.com/resources/114300/114358/114358.pdf), Polled 9 Mar 2009

[38] Yusufali F. Musaji, "Integrated Auditing of ERP systems", 2002, ISBN 0-471-23518-0

[39] “Guidelines for the Use of DeskBank”, Oct 1999, Tasmania Department of treasure and finance, (www.treasury.tas.gov.au/domino/dtf/dtf.nsf/ acca8cad9e1c8f864a256807001974ce/b3bb3aa29bbb681c4a256818000b1f9d?OpenDocument), Polled 20 Apr 2009

[40] "Enterprise resource planning (ERP) - Concepts, Methods and Frameworks", 6 Dec 2008, (http://mauriziostorani.wordpress.com/2008/12/06/enterprise-resource-planning-erp-concepts-methods-and-frameworks/), Polled 12 Apr 2009

[41] "IS Auditing Procedure: Evaluation of Management Controls Over Encryption Methodologies", Oct 2004, (http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=31609), Polled 20 Apr 2009

[42] “Enterprise Resource Planning Applications and Their Effects on the Network”, (http://www.erpfans.com/erpfans/erpwire.htm), Polled 10 Mar 2009

[43] “ERP FAQ’s”, (http://www.iiitb.ac.in/ss/erp-faq/main9pg1.htm) [44] “ERP5 5A Security Model”,

(http://cps.erp5.org/sections/documentation/articles/erp5_security_model/?theme=printable), Polled 5 Apr 2009

[45] “Choosing a free database“, (http://it.toolbox.com/blogs/database-talk/choosing-a-free-database-15971), Polled 10 Mar 2009

[46] “Made2Manage ERP: Technology Platform”, (http://www.made2manage.com/ERP-Software-System/Technology.aspx), Polled 10 Mar 2009

47

[47] “Model Driven Architecture (MDA) FAQ...“, (http://www.omg.org/mda/faq_mda.htm), Polled 10 Mar 2009

[48] “Relational Database”, Internet glossary, (http://www.irun.com/glossary/R_G_PopUp/relationalDatabase_R_Def.asp), Polled 27 Apr 2009

[49] “SAP IT selects IBM DB2 as strategic database platform for internal business systems“, Jan 2008, (http://www-01.ibm.com/software/success/cssdb.nsf/CS/STRD-7AHE5W?OpenDocument&Site=default&cty=en_us), Polled 10 Mar 2009

[50] “Securing Communications Over an Intranet: Part 1”, Apr 2002, Mindbridge Software, (http://www.ebizq.net/topics/security/features/1759.html?page=1), Polled 23 Apr 2009

[51] “Software as a service”, (http://en.wikipedia.org/wiki/Software_as_a_service), Polled 10 Mar 2009

[52] “Understanding the Three-Tier Architecture”, Oracle TopLink Developer's Guide 10g Release 3 (10.1.3), (http://www.oracle.com/technology/products/ias/toplink/doc/1013/MAIN/_html/undtldev010.htm), Polled 25 Apr 2009

[53] “Why Linux?”, Jan 2007, GoPrint, (http://www.goprint.com/images/Linux_white_paper.pdf), Polled 25 Apr 2009

[54] Adempiere, (http://en.wikipedia.org/wiki/Adempiere), Polled 10 Mar 2009 [55] AS/400, (http://search400.techtarget.com/sDefinition/0,,sid3_gci211599,00.html),

Polled 10 Mar 2009 [56] Compier, (http://www.compiere.com/), Polled 10 Mar 2009 [57] DBMS,

(http://en.wikipedia.org/wiki/Comparison_of_relational_database_management_systems), Polled 10 Mar 2009

[58] DotGNU, (http://www.dotgnu.org/), Polled 10 Mar 2009 [59] JavaServer Pages, (http://en.wikipedia.org/wiki/JavaServer_Pages), Polled 10

Mar 2009 [60] Jfire, (http://en.wikipedia.org/wiki/Jfire), Polled 10 Mar 2009 [61] Microsoft Dynamics, (http://msdn.microsoft.com/en-us/library/ms950363.aspx),

Polled 10 Mar 2009 [62] Mono project, (http://www.mono-project.com/Main_Page), Polled 25 Apr 2009 [63] OFBiz security,

(http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?showChildren=true#children), Polled 10 Mar 2009

[64] Openbravo, (http://www.openbravo.com/product/erp/features/), Polled 25 Apr 2009

[65] SAP, (http://sapdocs.info/application-modules/), Polled 25 Apr 2009 [66] UML, (http://www.uml.org/), Polled 10 Mar 2009