As the head of cloud operations at my company, I’ve worked with manufacturers around the world, helping them run thousands of plants in the cloud. Talk to any manufacturer and you’ll know that the ERP systems they rely on for running their businesses are mission critical. When they fail, manufacturers are unable to complete orders, respond to customer requests, or launch new products, which can mean thousands or even millions of dollars at risk.
Based on that experience, and hundreds of conversations along the way, here are the four most important things to know about choosing a cloud ERP—or Software-as-a-Service (SaaS) application—for your business.
High availability in a SaaS solution translates most simply to system uptime. When Facebook or email service is interrupted unexpectedly, you might hear a lot of complaining, but when a manufacturing ERP system goes down, operations come to a halt. Cloud ERP system providers should be aware that any disruption in service directly impacts your bottom line, so their focus should be on supporting your operation’s uptime, allowing you to focus solely on your core business.
If your plant runs seven days a week, your system of record should as well, with any maintenance interruptions planned transparently and well in advance. Closely examine the maintenance times the provider proposes. Your vendor should have short maintenance windows, and they should take place during minimally disruptive times.
When evaluating cloud ERP systems, ask about availability metrics. A provider should be willing to commit to a service level agreement (SLA) of over three nines (99.9 percent) availability for ERP. This translates to no more than 43 minutes of unplanned downtime in a month. Be wary of vendors that promise 100 percent uptime. Some of the world’s largest cloud vendors, including Google, will only agree to 99.9 percent availability. A cloud provider should show a proven history of outperforming their contractual SLA, so ask to see their historical performance and that they have the processes and controls in place to meet their customers’ demands.
It’s also important to keep in mind the unplannable when looking at cloud SLAs, as disaster preparedness is a key component of high availability. Ask your vendor for their business continuity plans, including what they will do if an entire data center is compromised because of a widespread power outage or natural disaster.
And don’t be afraid to ask about testing: Disaster recovery tests should happen more than once a year; the best providers should test each month so that updating and executing these procedures become second nature to their team.
Lastly, look inward! In your journey to evaluate possible ERP SaaS providers, ask your own IT organization what internal SLA they can promise for a hosted solution. Can they prove that they have the processes and controls in place to meet that commitment, and do they have the reporting and transparency you would expect from a SaaS provider? Are they willing and able to perform an unplanned disaster recovery test to verify their level of preparedness?
Reliability can best be summarized as how consistently the application performs its intended function over time.
In a mission-critical manufacturing application, transaction tracking is important for detailed audit or performance records. Tracking all of these transactions—which can number in the millions or billions per day—can be challenging, but using a cloud system can help immensely given its inherent elastic storage capabilities.
The flexible nature of a cloud solution, combined with that scalable storage, gives you visibility and access to each transaction. Therefore, in the event of a failed transaction, the provider should be able to determine why that transaction failed. For example, did it time out or was there an execution error? Can the provider link application performance to user experience? And does the provider have analytics that can determine the underlying cause of performance issues and provide proactive measures to prevent those problems?
You should be able to proactively find information on any interruptions, such as through a status page. Ask how the vendor will share this information with you as well, and if the information is consolidated and accurate for the entire company (versus independent silos).
When purchasing any technology system, it’s important to consider not only how the system fits your business today, but also how well it can adjust in the future. As your business changes, a software solution’s ability (or inability) to scale with your business is paramount. If you are planning to leverage the cloud for its inherent flexibility, it’s important to understand multi-tenant vs. single-tenant SaaS models.
A multi-tenant SaaS model is one in which companies use a single line (instance) of constantly updated software code and a common IT infrastructure managed by a cloud vendor, with each company (tenant) having its own secure database partition, security and access controls. In contrast, a single-tenant model is one in which companies share common IT infrastructure, but manage their own copy of the software, access controls and database. Some companies see the customizable aspect of a single-tenancy model as beneficial, but many run into issues trying to keep software versions current, putting pressure on their team to periodically plan for costly and time-consuming version upgrades, or risk falling behind.
In a multi-tenant model, customers also gain the benefit of a community of like-minded innovators running on a common version of the software. This enables manufacturers to collaborate with industry peers to share best practices, knowing those with whom they are sharing are running a common, core software instance. Optimally, manufacturers find colleagues within the same OEM supply chain, which delivers even more direct value from knowledge sharing and collaboration.
It’s hard to turn on the news without hearing about a major retailer or hotel chain experiencing a security breach, and you may wonder if that could happen to you.
The fact is that no matter how sophisticated your security systems, people will always attempt to access your information. That’s why your ERP vendor should comply with industry security and privacy standards and regulations, as well as have documented, established processes to test and evaluate security at any given time.
Become familiar with the standards and regulations that your business and your customers require, such as the Privacy Shield data protection policy—one of the first data protection policies put in place after the Safe Harbor policy was deemed outdated. Or NIST 800-171, a requirement for systems that store controlled unclassified information (CUI) that went into effect at the end of 2017, and is important for multi-tenant SaaS providers that provide goods to the U.S. government. And, consider any other regulations or requirements pertinent to your business.
Plan to look at cloud security through the following lenses: complex layered security, threat prevention, security policies and procedures, testing, and third-party auditing.
Complex layered security should include both physical and digital preventions, from the very construction of the data center housing your provider’s servers, to the encryptions used to keep your data safe. Threat prevention speaks to the simple fact that attacks are constantly happening, so best-in-class firewalls are a must, along with endpoint protection across the provider’s environments which block malware, exploits, and zero-day threats. Your provider should use best-in-class distributed denial of service (DDoS) protection to block those trying to attack their database, while simultaneously ensuring that you can safely and securely reach it.
Security policies and procedures should be regularly updated to reflect current practices and threats. A provider shouldn’t always just rely on their own knowledge; they should bring in external, third-party partners to check for weaknesses, probe plans, and provide additional resources in the case of a majority security issue.
Testing should be scheduled, for example, providers should conduct third-party application vulnerability testing on a daily basis, comprehensive automated vulnerability testing on a quarterly basis, and third-party manual network and application penetration testing on a semi-annual basis.
Finally, annual audits should be conducted by your provider. SOC 1 (previously known as SSAE 16) and SOC 2 reports are example reports that help your system provider validate proper processes for financial reporting as well as security, availability, and processing integrity. These audit reports provide further proof that vendor data policies are at or above industry standards.
The Bottom Line
Choosing a manufacturing cloud ERP system is a complex process and should align with the unique needs of your business while also considering your internal IT department’s technical capabilities and resources. As a manufacturer, it’s important to understand what makes your business different and how that impacts your requirements from a cloud system provider—your needs will not be the same as an ERP system used to run a hospital, for instance.
One important thing to keep in mind is this: Go deeper when your vendor says “it’s covered.” Ask your provider for specifics, and don’t be afraid to push for more.
Todd Weeks is group vice president of cloud computing at Plex Systems.