ERP Connector

Connecting your ERP system to the Sage Inventory Advisor cloud servers involves:

  • The ERP server, on your network, runs your ERP system
  • The Comms server, in the cloud, co-ordinates data flow between the ERP server and the App server
  • The App server, in the cloud, runs the Sage Inventory Advisor application
     

Upon installation

When you sign up:

  • Your instance of the Sage Inventory Advisor (or Sage Inventory Advisor Basics) App is created on one of our App servers
  • The Comms server is configured to allow secure communication between your ERP server and your new Sage Inventory Advisor instance
  • A connector is installed on your ERP server that communicates with the Comms server, to send and receive data
     

Security considerations:

  • Each Sage Inventory Advisor instance is created for a specific customer and is completely separate from other customers – there is no way for one customer to access the data of another
  • A secure 2048-bit public/private key combination is generated on the ERP server:
    • The private key never leaves the ERP server
    • The public key is sent to the Comms server via a web service call and is stored in the customer’s unique instance
  • All communication channels are encrypted with the public key and decrypted with the private key, meaning data cannot be intercepted between:
    • The ERP server and the Comms server
    • The Comms server and the App server
  • The comms server is secured by opening only necessary ports and firewalls, keeping your public key safe
  • The following firewall rules have to be set:
    • Port 80 (TCP) open from your ERP server to our Comms server
    • Port 443 (TCP) open from your ERP server to our Comms server
    • Remember, if you’re working through a WAN, then the same rules have to be set between your LAN, and your WAN, and between your WAN and our Comms server
    • You can also make use of a proxy server
       

Sending data from the ERP server

On a daily basis, data is extracted from your ERP server and sent to Sage Inventory Advisor.

On the ERP server, the connector:

  • Runs the extracts against your ERP, creates standard csv files and compresses them using bzip2
  • Communicates with the Comms server using Secure FTP and your private key to send the compressed data via the encrypted channel, followed by an end of transmission web service call

On the Comms server:

  • The data is sent to the App server using Secure FTP

On the App server:

  • Upon receipt of the data, the files are unzipped and MD5 validation totals in a meta-data file are compared with the MD5 values computed for each file sent
  • Once it is established that the correct data has been received, the data is imported into your instance of the App
     

Sending data to the ERP server

On a more frequent basis, data such as recommended orders or custom reports are sent back to the ERP.

On the App server:

  • When a file is created, the Comms server is notified via a web service call

On the Comms server:

  • The file is retrieved using Secure FTP and compressed using bzip2
  • The list of files to be sent to the ERP is updated

On the ERP server:

  • The Comms server is polled via a web service call for new files
  • If new files are available, the ERP server retrieves the files using Secure FTP with its private key
  • The files are uncompressed and the Comms server notified of successful receipt

Data security

Sage Inventory Advisor’s customers enjoy the following security:

1. Transit security

All data transferred from the on-premise ERP system to our Comms servers are compressed. This data is then sent via the Secure FTP protocol. This data is encrypted in-transit via session keys and symmetric encryption. The software on the ERP system is authenticated on the Comms server using the customer’s unique public key. The private key is never shared.

The same process then happens to forward the information from the Comms server to the appropriate cloud App server.

For more information about data transmission, see the ERP Connector guide.

2. Data centre security

Sage Inventory Advisor only makes use of secure, reputable hosting providers. We only make use of data centres with the following minimum security features:

Security Cameras - Digital security camera system monitors all entries, hallways, and all areas of the lobby and colocation cabinet areas.

Access Control - Entry to the colocation areas requires an access card key.

Air Conditioning - Redundant industrial HVAC units (air conditioners) environmentally control the air temperature and relative humidity in the Colocation Facilities. Cabinets are arranged in alternating hot and cold aisles, with cold air flowing from overhead ducts into the cold aisles, flowing through the cabinets, and exhausting into the warm aisles.

Power, PDUs and Conditioning - Clean, conditioned power is delivered through Power Distribution Units (at least one for each row of cabinets). Each cabinet is individually breakered, so even if one customer has a power issue, other cabinets should not be affected.

Uninterruptible Power Supplies - PDUs are connected to Uninterruptible Power Supplies, which have enough battery power to keep systems running until the generator starts delivering power. All systems undergo regular preventative maintenance.

Power Generators and Fuel - Multiple generators automatically start when outside power is lost, and begin delivering full electric power to the facility within seconds. There should be enough fuel on hand for several days of generator operation at full load, and contracts with local fuel suppliers to promptly replenish when necessary.

Data centres

Sage Inventory Advisor makes use of two data centre providers:

Our customers’ data are hosted at the following data centres:

  • North America
    • Linode – Newark, NJ
    • Linode – Fremont, CA
    • Linode – Atlanta, GA
    • Linode – Dallas, TX
  • Africa and Europe
    • Linode – London, UK
    • Hetzner – Nuremberg, DE
    • Hetzner – Falkenstein, DE
  • Australia and New Zealand
    • Linode – Tokyo, JP
    • Hetzner – Nuremberg, DE
    • Hetzner – Falkenstein, DE

3. Storage security

All our servers run an open source software stack:

  • Linux
  • MySQL
  • Ruby-on-Rails
  • Nginx
  • SecureFTP

Our servers are all behind firewalls with strict rules allowing only the following traffic:

  • www – port 80/tcp
  • https – port 443/tcp
  • ssh/sftp – port 22/tcp

Back-end logins into our servers can only happen with RSA keys, and not via passwords. This means that personnel of Sage Inventory Advisor’s access to our back-end servers can be revoked at any time

Our servers are protected from brute-force attacks by automatically banning anyone with 3 failed login attempts for an hour. This happens at the firewall level.

All the OS and application software are patched daily for any security vulnerabilities.

4. Data isolation

Every customer’s data is completely isolated from every other customer’s data, by using a seperate Database to store their data in.

Similarly, every customer accesses the Sage Inventory Advisor service using a unique URL for that customer. A user’s login credentials can never work on another customer’s instance of Sage Inventory Advisor.

5. Backups

All data on all servers are backed up every 24 hours. Full backups are retained for 14 days. Any customer’s data can be restored, and depending on the size of the customer’s data the restore will take up to 4 hours to complete.

In case of a catastrophic server failure, new VPSes are spinned up, and customer data restored. The longest a customer will be without a working Sage Inventory Advisor system is 48 hours. Typically it’s less than 8 hours.

Backups are stored in a geographic separate data centre, so that a data centre disaster doesn’t affect both the operational servers and the backup servers.

As Sage Inventory Advisor is not a mission-critical system, we do not offer automatic fail-over to stand-by servers. This also keeps the monthly cost down for our customers.

6. Web security

All access to a customer’s instance of Sage Inventory Advisor goes over the https protocol. Our SSL certificates are signed by trusted CAs. All requests to our web app are protected against Cross-Site Request Forgery.

This means that Man-In-The-Middle attacks are exceedingly difficult to perform. No-one can read our customers’ information whilst in-transit to and from our web servers.

All sessions are automatically logged out after a period of non-use, helping to guard against unauthorised usage of a logged-in system.

Only password hashes are stored in our databases. So even if the password hashes were obtained, they cannot be used to log into Sage Inventory Advisor.

7. Data retention

In the case that a customer cancels their Sage Inventory Advisor subscription, we retain an archive of the customer’s data for three months. This allows for an easier re-instatement of the service, if requested. After three months the data will be deleted forever, even from our backup servers. A full dump of a customer’s data is available upon request in the three month period.