Rent-A-Cops…I Hate Rent-A-Cops
Well we’re definitely in the home stretch of the e-commerce super-bowl season right now. It’s starting to become a well known e-commerce fact that Monday’s are typically the busiest e-commerce day of the week. An interesting commentary on society I’m sure - rather than facing the doldrums of another week at work, we go to the office, log on and…start shopping! This year is especially interesting, as the last Monday of the season falls a full week away from Christmas - just enough time to get that Playstation 3 by ground shipping. It’ll be interesting to see if consumers take that risk on Monday and break some e-commerce records.
Anyway, as promised in my last post, today I thought I’d talk a little about security, specifically as it applies to our Merchant and Pro products. I’m not going to pull a CNN here and broadcast exact specifics (”as you can see here, the 3rd cavalry is going to launch their surprise attack on this position in exactly 10 minutes…”), but there is a high level discussion we can have here that doesn’t give away the secret sauce.
First of all, let me stress that security of our data is something we take very seriously here at CA. Is any system foolproof? Of course not, we’d be fools to think otherwise. We do however use well established industry practices to secure your data, and have subjected ourselves to numerous internal and external security audits to validate our practices. With that said, we are always working to get even better.
Physical Security
First and foremost, there are the servers themselves. Our servers aren’t hanging out in a garage or under Marshall Smith’s desk, they live in a dedicated data center. If you’ve never seen a datacenter, they look a lot like this. If there’s a part a part of reality that’s straight out of a sci-fi movie, it’s a data center. Walking into one you could easily convince yourself that computers have taken over the world and you are the last human on earth. Time to wakeup and feed your master.
Here’s a picture of a Google Data Center I found on, well Google:
Anyway, there are several cool things to know about datacenters: they are climate controlled (servers do like their AC), have backup power systems, redundant Internet connections, and most importantly to this discussion, they are physically secured. You can’t just walk up to a datacenter and start unplugging computers. Many datacenters live in non-descript buildings (you won’t see a big sign on the road saying “Datacenter inside, come see our credit card numbers!”), and are secured by lock and key, 24/7 surveillance, and sometimes even a man trap. Man traps are pretty cool, they are basically secured airlock-like rooms into the facility where the guard is safely protected behind bullet proof glass, thus he or she can buzz you into the facility only if you pass the security screening with no fear of physical coercion.
It’s not uncommon for smaller companies to share the same datacenter, so once inside the facility you still need to pass yet another security hurdle: you need the guard to unlock a protective cage around your specific servers. Once this is opened up, then the technicians can do their maintenance and upgrades.
In the spirit of the “CNN effect”, I won’t tell you where our datacenter is, but I will assure you it has all of the above safeguards, and if you search really hard, maybe you’ll find Dick Cheney hanging out in the break room…
Network Security
I’m not an expert on this topic so I’ll leave this open to more qualified people to elaborate, but the biggest part of network security is properly firewalling your system network. These days a lot of us know firewalls because we all need to set one up on our home networks. Firewalls are a little more complex for production systems like ours as there are a lot of servers to segment and there’s a lot of communication occurring between our servers and external systems like ebay, Paypal, Google, etc. I like to think of a firewall as the “roach motel”, but in reverse. Traffic can go out, but it can’t come in. For that traffic that we need to come in, it’s tightly locked down and routed specifically to hardware that is equipped to respond to those requests in a secure manner.
There’s a lot more to network security, but I’ll leave this topic open to a future post by someone more qualified then myself.
Data Security
We have a group here at ChannelAdvisor called the “Data Center Operations” group. On staff in that group is a team of dedicated database administrators who love and care for those systems (there are even rumors that some nights they’ve been know to “hug” the servers, but that may just be a wild rumor…). As part of their roles, they lock down internal and external access to our production database servers to a very small “need to know” group. Very few people in the company even have access to connect to our production servers. Not even Scot!
All sensitive information in our systems is encrypted prior to storage. This most especially includes passwords and credit card numbers. We use an industry standard encryption algorithm known as Advanced Encryption Standard, aka “Rijndael” (related to “Rivendale”? Hmm…) with 128 bit encryption keys. We also regularly change the keys used for the encryption. Think of this like changing the locks on your front door from time to time, always a good idea.
So this means even our vaunted DC Ops staff can never see the sensitive information in our system - if they looked at a table of credit card numbers, all they’d see is gook like this “ACFDGFDG09GF943F49F90SDF90DSF8SDFKJH4KHR490R490IR4R0949038435…”. Only the application can decipher this “junk”, and only for users who log into the Merchant system with the appropriate “need to know” credentials (in other words, you, the seller).
In addition to encryption, we also purge this data on an automated schedule. For some data, this is after immediate use, and for others, it’s after 60 days. We take great measures to keep hackers out of our system, but if a hack were to occur, they would only get the indecipherable “gunk” from above, and only 60 days of that to boot. It takes an encryption key to decipher this information, and those keys are changed often and guarded highly.
Anyway, that’s about it for today. For those that were wondering about the title, it’s a quote from Men At Work, an old Charlie Sheen movie.
Happy Festivus!