As online security takes center stage in the public eye, Volusion has been proactively working to beef up its security. To get an inside glimpse on what’s taking place, check out this article from our Vice President of IT, Steve Krebsbach.
Cyber security has deservedly become a hot topic in the public arena, and the subject particularly resonates here at Volusion. As the internet continues to weave itself into more and more angles of our everyday lives, so does the opportunity for cybercriminals to take advantage of our reliance on the digital space. And while we’ve all heard the stories of cyber warfare between world governments, what isn’t as high profile is the amount of attacks against ecommerce sites, especially in North America.
In fact, Trustwave’s latest Global Security Report indicates that the retail industry is now the top target for cybercriminals, with ecommerce attacks emerging as a rapidly growing trend. This rise in attacks is tied to the increase in popularity of online shopping, which provides a treasure trove of credit card information for those looking to maliciously obtain it. This aspect in itself is a major cause for concern, and SaaS providers, particularly those in the ecommerce space, have been required to rapidly respond.
Of equally high concern is the increase in the amount and severity of Denial of Service (DoS) attacks aimed at websites across the globe. Over the past few months, we’ve witnessed the most notorious DoS attacks in history – some of which crippled the websites of major financial institutions, including Wells Fargo, Bank of America and J.P. Morgan Chase. It’s important to note that DoS attacks aren’t deployed with the intent to access credit card information, but are still a key component of a truly comprehensive online security strategy.
Just last month, the biggest cyberattack in history was launched, causing severe latency in internet speeds across Europe. The scary aspect of that particular attack was its nature: instead of attacking a specific server, this one went after the actual backbone of the internet’s infrastructure. Even more, the attacks were pointing up to 300 gigabits/second at its targets, which can overwhelm even the most sophisticated internet service provider’s infrastructure.
Because of this, Volusion has invested millions of dollars and thousands of hours to beef up our infrastructure to make merchant’s sites more secure and less vulnerable to cybercriminals. To us, PCI compliance is a small piece of the security puzzle – that’s why we’ve taken extra steps to enhance performance and protect our merchants’ most sensitive data.
Here’s what we’ve done and continue to do to keep our customers as safe as we can.
Volusion’s ongoing security efforts
There’s a cycle of upgrades and enhancements that we must make as a SaaS provider to ensure top performance, increased capacity and improved security on an ongoing basis. In order to do so, there are three main areas I’ve made a focus for us to achieve our goals from a hosting and security standpoint: technology, processes and people.
Technology: Building a digital fortress
Over the years, we’ve learned a lot about hosting, even enduring some performance growing pains along the way. Because of these lessons, we’re now in a prime position to leverage our experience to enhance our environment for optimal performance.
One of the main takeaways we’ve seen across the industry is that a hosting provider is only as good as the technology that powers its infrastructure. This is why we’ve invested multiple millions in capital expenditures to provide the safest and most reliable hosting that we can. In fact, we’ve gone above and beyond what an average hosting provider has to offer, creating a security infrastructure that is 15 layers deep, with plans to add two more layers in the near feature. In this day and age, each layer counts.
Picture these layers as a digital fortress, providing multiple levels of protection and fail-safes from any type of attack. For example, we use a two-tier DDoS defense solution, which includes both cloud-based and on-premise solutions, designed to handle a variety of different and complex DDoS attack types. We’ve also implemented edge routers, which leverage Access Control Lists (ACLs) to mitigate attacks by only allowing authorized traffic, while still providing efficient processing by security devices within the network.
Additionally, we use multiple layer 7 firewalls to improve our ability to block potential attacks. These firewalls inspect traffic, only allowing accepted traffic to hosts. The firewall also can identify traffic that matches known attack signatures (updated daily) and can dynamically block its access to our hosts.
Beyond blocking and defending against malicious traffic, we’ve set up our infrastructure in a way that helps fortify your most sensitive data. To begin, we leverage network segmentation and security zoning, meaning that we separate our network into segments to control what traffic traverses between those segments. This assures that any security threats that do get through are localized, and their potential impact remains minimal. Our security zoning makes it difficult for an attacker to go from systems in one zone to another, and it can slow the spread of viruses and worms.
We use a similar approach to separate our customers’ website functionality into two tiers: a web application tier and a data tier. The web application tier contains the functionality of their sites, including images, content, etc. This tier does not contain critical customer data. The data tier, on the other hand, is where confidential information is stored, and it resides in the most secure part of the company network.
In addition to the design and layout of our infrastructure, we also leverage several host-based security elements, including:
- OS Based Security Configurations: We follow industry best practices when configuring the OS running on the hosts to ensure they’re secure, which means that we regularly configure, verify and monitor operating systems to provide protection from attacks targeting vulnerabilities in the OS.
- Application-Based Security Configurations: We follow industry best practices when configuring the applications running on the hosts to ensure they’re secure.
- Anti-Virus/Anti-Malware: We use a highly rated anti-virus / anti-malware solution to scan for known threats. This includes scans performed on a scheduled basis as well as scans of all files as they are accessed.
- Vulnerability Scanning: We use a variety of scanning tools to inspect hosts and web applications for any signs they may be vulnerable to attack. These include commercial and open source tools that are recognized as best of breed. Scans are performed on a scheduled basis as well as prior to any significant changes to detect issues prior to release.
- File Integrity Monitoring: Any changes to critical system files and directories will be identified in real time and generate alerts, preventing attackers from adding or modifying files.
- Event Monitoring and Correlation: Hosts communicate system, security and application events in real time to an event correlation engine which can identify patterns to indicate potential malicious activity. Alerts from this engine are sent to the Securities Operation Center (SOC) and the information security team.
- Redundancy, Failover and High Availability: This infrastructure is constructed to be highly available and each layer has a pair of devices to ensure that if one fails the other picks up the traffic seamlessly with no impact on the customer’s environment.
By keeping our hosting infrastructure in-house, we’re in the unique position to enhance and invest in the technology that powers operations from behind the scenes. Because of this, we have the flexibility to go beyond what an average hosting provider has to offer, with the ability to make changes and respond immediately.
Technology is clearly one of the most critical components when it comes to security, and we’ve done our part to ensure that we provide best-in-breed tools and capabilities for our merchants.
Processes: Ongoing assessment, analysis and monitoring
Security isn’t just a one-time occurrence – it’s something that we must continuously and relentlessly address. Even the most advanced technology falls short without ongoing assessment, analysis and monitoring, which is where effective processes make all the difference.
Here’s a brief look into our in-house security personnel and processes:
Information Security Team
- Analyze system behavior for suspicious activities
- Perform internal security assessments
Security Operations Center (SOC)
- 24×7 monitoring of systems and infrastructure
- Respond to alerts/anomalous behavior
Computing Security Incident Response Team
- Develop and implement best of breed incident response strategies
- Respond to computing security incident reports and activities
- Perform industry accepted compliance audits
- Perform external black box penetration testing
Beyond these in-depth processes, we believe that security begins at the product level. That’s why, with each and every product enhancement, our IT team conducts rigorous quality assurance (QA) testing in regards to security. If a threat or vulnerability is detected during this process, we send the enhancement in question back to the Development team for reworking and revision. Then the security QA begins all over again.
We’re firm believers that security is a marathon, not a sprint. It’s easier to simply prep your hosting facilities for a yearly external audit. But to truly stay ahead of changing security threats, you have to analyze and value each and every step of the race.
People: Placing your security in good hands
Of course, technology and processes can’t work together without the direction from the most important part of our security measures: Volusion’s growing team of experienced and dedicated IT professionals. Over the past year, we’ve tripled our IT team to enhance our hosting, performance and security capabilities. In fact, we’ve hired several IT roles that are solely dedicated to security protections.
Our IT hires come from a wide range of professional backgrounds, many of whom have worked for the world’s top hosting and technology companies. Add that to a strong foundational team of members that have worked with the Volusion platform for many, many years. And yes, we’ve even got ex-Military Security personnel on staff.
We encourage our IT team to continue their professional growth, including the pursuit and achievement of industry-endorsed certifications. And of equal importance, our work environment is structured for the highest level of collaboration possible – by allowing these experts to openly share their knowledge, we’re much more agile in making improvements and making responses as quickly and efficiently as possible.
I’m excited and very proud to lead this team as we address the security needs of an expanding organization and increasingly complex ecommerce industry. Rest assured that the safety and performance of each of our customers’ sites are in good hands.
This three-pronged approach to security has allowed us to overcome the increasingly difficult challenges that any hosting provider must address. By combining the effects of powerful technology, rigorous security process and an experienced, professional team, we’re in a much more stable and confident place from a security standpoint.
What these efforts mean for our customers
When other ecommerce providers settle for the minimum requirements, you might ask why we would invest so many resources into our hosting infrastructure. It’s simple: we have no other choice. With the frequency and severity of attacks increasing across our industry, it’s our absolute obligation to protect the data and performance that powers our thousands of online stores.
As a result of these investments, our merchants can focus on what they do best: managing and growing their businesses. By allowing us to handle the security aspect, Volusion storeowners receive multiple benefits, regardless of what plan they’re on or what type of product they’re selling:
- Enormous cost savings: To independently acquire the amount of protections we’ve put in place, one would have to make large investments in technology and IT staffing to meet their needs. Beyond that, hosting providers charge more for each additional security enhancement that’s utilized, which quickly adds up upon ordering more from the security menu. With Volusion, for one affordable cost, all of our merchants reap the benefits of the time and financial resources that we’ve leveraged.
- Time efficiencies: For merchants looking to manage their own hosting (such as those using open source solutions), it takes a lot of time and effort to address the security concerns in today’s world. In order to achieve a similar structure of layered security, one would have to manage multiple vendors, all with differing technologies and integration issues. Even more, we keep up with all of the latest security developments so that you’re not stuck poring over the latest news impacting the industry.
- Removal of guesswork: Even if an online business owner is using an ecommerce solution with outsourced hosting, there are several questions and details that must be addressed by their provider when selecting specific aspects of hosting. For example, when an ecommerce provider outsources their hosting, they’re fully dependent on their hosting provider to assemble and acquire the right hardware and infrastructure for their needs. In other words, if the ecommerce provider doesn’t ask the right questions, their ecommerce merchants don’t get the right tools needed for protection.
- Increased security: Naturally, one of the most obvious benefits to our in-house hosting efforts and investments is heightened security. Because we have full control over our infrastructure, we can quickly make enhancements to our systems and immediately respond. With outsourced hosting, an ecommerce provider is dependent on their hosting provider to address and respond to potential attacks or issues. Also, outsourced hosting and/or independent merchant hosting typically doesn’t afford the sheer level of security protections we’ve put in place, often due to cost restrictions.
At the end of the day, these benefits are why we’re so committed to making our merchants’ sites as secure as we can. Quite simply, we don’t think it’s right for customers to have to worry about security details, on top of the hundreds of decisions a business owner must make to help expand their presence.
It’s been my mission since day one of joining Volusion to ensure that our merchants can enjoy the peace of mind that comes with using a solution that’s dedicated to the utmost of security. It has been my privilege to work closely with my incredibly talented IT team to achieve this mission, and to see the fruits of our labor being passed along to our customers.
Because when you boil down all of this time and technology to its core, it’s all about letting Volusion storeowners forge their business ahead without being afraid of what’s lurking on the internet.
-Steve Krebsbach, Vice President of Information Technology, Volusion