A Start-Up's Guide to E-Commerce Security, Speed and Scalability
Mar 19, 2010 5:00 AM PT
All new e-commerce businesses should address one vital question first and foremost: Will you collect and store payment card information on your Web site or offload credit card processing to a PCI-compliant merchant like PayPal? The answer to this question is paramount and should be well thought out when you are planning and developing your e-commerce Web application.
When feasible, outsourcing the storage and handling of credit cards to a trusted, capable and PCI-compliant payment processing provider is the most secure and most budget-friendly course of action. Even when you outsource payment processing -- the riskiest piece of running an e-commerce business -- you still must ensure your hosting environment can deliver speed and scalability that meets user expectations and includes security measures that protect your shoppers from a damaging hacker encounter.
Following are the tools and services you should be looking for.
Web Hosting Security Basics
The minimum requirements you need to transact business securely online:
Redundant firewall protection -- Firewalls help stop cyberattacks before they can penetrate the network perimeter. Having firewalls tuned and working in tandem helps ensure protection for your e-commerce environment.
Web application protection -- In addition to traditional firewalls, you'll need a Web application firewall, or WAF. This technology helps protect e-commerce organizations from application-level attacks like SQL injections and cross-site scripting (XSS) attacks. Application-level attacks occur when the hacker is attacking the Web site itself; your contact forms, login boxes, etc. Traditional firewalls are helpless to defend against these kinds of attacks, and WAFs are required.
DoS/DDoS mitigation -- Denial of Service and Distributed Denial of Service attacks hit your Web site with a flood of robot-directed, fake visitors that consume all available resources, lock up your server, and take your Web site offline. DoS/DDoS mitigation devices help ward off such events by providing a barrier between your server and the IP flood.
SSL VPN (Secure Sockets Layer virtual private network) -- It's a mouthful, but it's important to take note. SSL VPNs create a secure connection for remote users who will be administering the Web applications and hosting environment.
Vulnerability Monitoring -- Vulnerability monitoring services scan your Web application code around the clock looking for unexpected changes and malicious code that matches known "diseases" in the threat database. When a potential problem is uncovered, you'll be notified so you can resolve the problem.
Antivirus protection -- Antivirus software works much the same way as vulnerability monitoring, however the target for AV scans is different. Rather than reviewing Web application code, antivirus software reviews files and services stored on the physical server.
Two factor authentication -- 2FA requires Web site administrators to go through two layers of security before obtaining access to the hosting environment. Two factor authentication helps prevent the most common cause of data theft -- password leaks. Two factor is unique because it challenges you with something you know and something you have.
Encrypted backup, service monitoring and response -- While these protective measures are available from most Web-hosting companies, they're not ALWAYS included. Make sure you know what you're getting.
Performance Wish List
Cadillac hosting solutions that provide speed and scalability for for SMBs on a Camry budget:
High Availability -- The Web is the front door for your e-commerce site. When your Web site is offline, it is like bolting the door shut and surrounding your office building with caution tape. Really, it's that serious. This is very discouraging to online shoppers. High availability hosting helps ensure your Web site is NEVER offline, even for necessities like patching, hardware upgrades, and other required maintenance.
CDN (Content Delivery Network) -- CDN performs several important functions for online retailers. First, content delivery networks make Web site content available to users around the world. The service also helps ensure multimedia components (product photos, videos, demonstrations) load quickly for all users, regardless of where they are located. Finally, CDN provides additional throughput when your Web site receives an unexpected spike in traffic. Oprah, bring it on!
Virtualization -- Virtualized servers are quickly scalable, but you need to make sure they are secure. Deploying upgrades, installing patches, and migrating hardware can happen in minutes, if not seconds, of scheduled downtime rather than the lengthy outages synonymous with traditional dedicated hosting of the past.
Successful e-commerce companies will require all of these performance features at some point. Migrating your Web application is always a risky and time-consuming proposition. While you're small and agile, you should align with vendors that can
1) provide security and protection for e-commerce retailers on a budget;
2) provide content acceleration for e-commerce startups with rich multimedia components or global distribution; and
3) provide scalable server resources on demand with built-in business continuity planning.
For e-commerce startups, developing a reliable Web application and backing it with a hosting environment to ensure maximum uptime, infinite scalability and protection from hackers can feel the like the most daunting task. Considering your long-term needs from the start can save you a world of pain, time and money later, when everything comes together and your online business soars.
Chris Drake is CEO and founder of FireHost which delivers enterprise-level secure Web-hosting solutions to SMBs.