When our current VP of IT, Shad Lutz, joined Volusion in 2012, service availability was a major issue. A combination of infrastructure limitations, daily DDOS attacks, service migration errors, storage resource saturation, and regular power outages forced us to measure downtime in hours...or worse.
An infusion of new engineering talent and fresh server, network, and storage equipment made a number of significant improvements possible. New internet circuits were added, DDOS defense services were contracted, and core infrastructure was upgraded or replaced. Reusable equipment was redeployed into a more resilient, robust architecture, and much remains in use today.
This process took about a year, and occurred over dozens of late-night maintenance sessions. With the immediate stability issues resolved, we turned our focus on the more distant horizon, planning and implementing numerous changes—large and small—to eventually deliver the great availability our customers have come to depend on: averaging 99.95% availability in 2016, and 99.99% so far this year.
Along with stabilization efforts, Volusion invested heavily in information security. The upgraded infrastructure included numerous process and technology upgrades to contain DDOS attacks, filter out malicious traffic, provide rapid forensic analysis, and detect anomalous behavior. Patching was streamlined, access controls were tightened, and network segmentation was reinforced. Security training, secure code reviews, and security exercises became routine. Third-party penetration testing, vulnerability analysis, and bug hunts were employed to validate our work. We phished our own employees and tested the effectiveness of our training, and then built on the lessons learned.
In his novel Catch-22, Joseph Heller states, “Just because you're paranoid doesn't mean they aren't after you.” We believe that statement, and we work hard every day to ensure that our customers’ data is always secure. Although we’ve had our PCI-DSS compliance certified for the 10th year in a row, we consider it a mere footnote in the ongoing battle to beat back an ever evolving threat environment.
In all, we’re pretty proud of these accomplishments. But we’re never really satisfied. That’s why we’re now taking the bold step of moving our hosting operations from a small data center in southern California to the Google Cloud Platform.
Many people ask why we’re making this change after working so hard to improve availability, performance, and security in our current hosting model. The answer is simple: we’re doing it for our customers. We want our customers to enjoy the benefits of having access to the largest global, private network in the world, massively scalable computer and storage resources, and peerless geographic flexibility.
We want to deliver new technologies and standards like HTTP2, full site TLS/SSL, and globally-distributed DNS. And most importantly, we want to ensure that we can rapidly respond to the changing needs of our customers with rapid upscaling and more expedient delivery of features and bug fixes.
Volusion services on Google Cloud Platform will be faster, more secure, and more flexible than ever before. Right now our plan is to begin moving test stores next week, then we'll set the customer move schedule based on those learnings. We can’t wait to get there, and we’re confident our customers will be pleased with the results.