Some of the most important software a business runs is also the oldest. It works, everyone depends on it, and the whole operation is built around it. The trouble starts when that software is years past its support date and a security standard like Cyber Essentials comes knocking.
That was the position for a UK manufacturing client of ours. The business runs on Epicor 9.05, a capable ERP that is only certified to run on Windows Server 2008 R2, with its database on SQL Server 2008. Both are long past end of support. The client needed Cyber Essentials, and they were already planning a move to a new ERP over the next couple of years. What they could not do was rip out the system that runs the company just to satisfy an audit. Here is how we squared that circle, and why the result bought them something as valuable as the certificate: time.
Why this is hard
Cyber Essentials is strict about one thing above all: software has to be supported and patched. An ERP pinned to an unsupported operating system is close to an automatic failure, because no vendor is shipping patches for the holes attackers look for.
The obvious fix, “just replace it”, is the wrong place to start. Replacing an ERP is a multi-year programme that touches every department, and rushing that decision under audit pressure is how businesses end up with the wrong system badly implemented. We needed to make the estate secure and compliant now, and modernise everything we possibly could, while leaving the ERP replacement to be done properly later.
The approach: a 24-month stability programme
The principle was simple to say and detailed to deliver. Rebuild the whole Epicor environment in Microsoft Azure, side by side with the live system. Contain the one part that cannot be upgraded, modernise everything around it, and put a modern, supported, fully controlled layer in front of the lot. Then cut over with no downtime.

The shape of it is this. Staff never log in to the old servers. They reach Epicor through Azure Virtual Desktop, where it is published as a streamed RemoteApp. The legacy application servers sit in an isolated subnet that users and the internet simply cannot see. The database, the part we could modernise, was rebuilt on a current, highly available platform.
What it actually took
The headline is tidy. The engineering underneath it was the real work, delivered as four parallel workstreams in Azure.
A secure landing zone. We built a dedicated, governed landing zone using a hub-and-spoke network, with UK South as the primary region and UK West for disaster recovery. Everything runs default-deny: network security groups with least-privilege rules, FortiGate firewalls for stateful inspection, Private Endpoints so the platform services are never publicly exposed, and Azure Policy to block things like public IPs on servers. Microsoft Defender for Cloud, Azure Bastion for admin access with no public RDP, just-in-time access, and Entra ID with Conditional Access and MFA round it out, all logging to a central Log Analytics workspace.
A modernised database. This is the part most people miss. We did not leave the database stranded on SQL Server 2008. We rebuilt it on SQL Server 2022 in compatibility mode, which keeps Epicor 9.05 happy while moving the data onto a fully supported engine. We put it into an Always On Availability Group with automatic failover and a replica in the second region, encrypted it at rest and in transit, tightened access to least-privilege, and cleaned up years of accumulated data and missing indexes along the way. The database went from a single point of failure to a resilient service.
A contained application tier. Epicor 9.05 only runs on Windows Server 2008 R2, so that constraint stays. What changes is everything around it. The app servers were rebuilt on hardened, CIS-aligned images, placed in their own isolated subnet behind the firewall and NSGs, given no inbound access from users and no outbound route to the internet, and connected to the database only over Private Link. The result is a legacy application that behaves like a sealed box. It does its job and it cannot be used as a way in.
Access through AVD. Users reach Epicor as a published RemoteApp on Azure Virtual Desktop, with FSLogix profiles for fast, consistent sessions and Conditional Access and MFA enforcing who can connect and from where. This is the layer people actually touch, and it is modern, supported, patched and monitored. That is what sits inside the Cyber Essentials scope, and it meets the standard.
We built all of this alongside the live system, tested it hard with the client’s own users, then cut over in a single maintenance window with the old environment kept read-only as a fallback. The on-premises network was tidied up at the same time, with the old flat network and legacy firewalls replaced by a resilient FortiGate pair and proper VLAN segmentation, watched over by our 24×7 operations centre.
The result: compliant today, free to choose tomorrow
The client passed Cyber Essentials. The part of the estate that staff and attackers can actually reach is modern, supported and properly controlled. The unupgradeable Epicor application is contained safely behind it, and the database that used to be a single point of failure is now highly available across two regions.
Just as importantly, they did it without making a rushed, expensive decision about their future ERP under audit pressure.

The Azure foundation gives them a genuine 24-month bridge. When they are ready, they can choose the right modern ERP and migrate on their own timeline, from a secure and stable footing, instead of jumping because a deadline forced their hand.
Stuck on something old but essential?
Plenty of good businesses run a critical, ageing line-of-business application they cannot simply switch off. The instinct is to panic about it. The better move is to contain it properly, modernise what you can, get compliant, and then plan the replacement with a clear head.
If that sounds familiar, whether it is an old ERP, a finance system or a bespoke application, we can help you make it secure and pass the audit without betting the business on a rushed migration. Take a look at our Azure and modern workplace services, or get in touch and we’ll talk through your options.