Total Blue System Ecommerce

If there's a risk to an e-commerce website's up-time or performance that's hard to eliminate, it's the periodic instance of what's known as a denial of service attack (DOS). (In short, it means someone floods your server with so many requests that it chokes -- and prevents your site visitors from viewing your pages.) Refinements of Total Blue System's hosting infrastructure released this week ought improve your e-commerce site's ability to weather such an attack.

We'll spare the details, suffice to say there are configurations at the Linux kernel level (we use Red Hat Enterprise as our Linux distribution), as well as tuning of our connection management for our database, MySQL. And more.

The DOS attack, if even inadvertent, represents the majority of instances recorded in our Status blog which identifies our server cluster's unscheduled hosting downtime.

Moving into Day 2 of our PCI on-site audit, there's a full schedule ahead. Yesterday's Day 1 proceeded well enough, but the auditor wouldn't be an auditor if he didn't find something to be given more attention or improvement. So as we follow-up on further enhancements itemized in Day 1, here's what we're looking forward to today:

• Analysis of our network and software application topology, which means a map of what data goes where, how.
• The overall transaction flow for payment information will be examined and vetted for integrity. So, too, will be our internal business processes and those of our merchants, insofar as we as the service provider automatically hand off payment details of an order for processing by the merchant.
• More firewall configuration examinations today, as details matter when it comes to who gets in, who doesn't, and who can even observe what exists behind the wall.
• Examination of how, exactly, sensitive payment information is stored after being collected through the shopping cart. Of course, it's encrypted. But this audit actually involves line by line examination of our software's code for doing so, and then some.
• The auditor will assess how our systems monitor access to all parts of the network, and log data about who does what with any sensitive payment or cardholder information. To use an analogy, a hardened wall is insufficient, there are also prying cameras recording what happens on the inside.
• Configuration standards will be given more attention again today. It's fortunate that for what part we rely upon our hosting partner Rackspace, they're well vetted in terms of business process controls and accountability, having been certified to the SAS 70 standard for many years. That's insufficient for the PCI standard and for our own operational processes, but it helps.
• Audit of our anti-virus, spyware, adware systems as a defensive measure from external attacks. As it turns out, this is less of an issue as our ecommerce hosting runs on a hardened Linux operating system, specifically Red Hat Enterprise. And most of our team's personal computers are either Mac's or Linux, which are comparatively less of a target than Windows.

And the march goes on.

As our turn-key ecommerce package includes software and web hosting, Total Blue System bears much responsibility for ensuring merchants can operate it in compliance to data security standards. Obligations for merchants who collect credit cards and other sensitive payment information are defined in the Payment Card Industry's Data Security Standard (PCI DSS). To demonstrate our compliance as a qualified service provider to merchants, we've arranged an audit by a security consulting firm, SecurityMetrics.

Today's the big first day of our on-site audit, where the auditor will personally inspect servers in our data center and much, much more. Visa, Mastercard and American Express require this on-site audit for the largest companies that qualify as a payment gateway, plus anyone who's ever experienced a data compromise event. That "event" is industry lingo for being hacked, cracked, or otherwise had credit card numbers exposed. And that's our sad story, going back to 2005.

Now it's time for a redemption, of sorts. Today's the day our myriad preparations for an incredibly secure ecommerce hosting environment and software application are put to the test. Tests and probes actually started in November, but today's symbolic as the first on-site. On the agenda:

• Examination of our system's firewalls, switches, and overall network configuration.
• Tour of the world-class data center operated by Rackspace that manages our hardware and terrific network, including auditing of access controls and physical security.
• Examination of our security systems, including tests of our intrustion detection system and logging devices.
• Assessment of our system configuration standards and related business processes.

It's not sexy, but it's certainly thorough. We're feeling breathless all the same, either out of exhaustion in getting ready for it all, or in anticipation of being crowned worthy. For our merchants, this gives you the confidence to know our security efforts are validated and your compliance, via our compliance, is going to be certified.

Our e-commerce hosting includes business-class email for your company's personal communications. Now we've just upgraded the storage from 1 GB to 2 GB's of data. With webmail access, and IMAP from your desktop email client, you can keep all the emails that are important to you on the server.

If you'd like all of your company's accounts to be upgraded, please request this by contacting your account manager. There's no set-up fee; all is included in your normal software license. Enjoy.

Jeopardizing your business with the threat of fraudulent payments is trouble enough. But the risk factor goes way up if hackers compromise sensitive financial data belonging to your customers, the credit card holders. The safe path includes maintaining your compliance to the Payment Card Industry's Data Security Standard, and that means regular vulnerability scanning.

Total Blue System-powered clients now receive complimentary PCI vulnerability scans for their e-commerce websites, included in your normal license fee. This builds upon the support for resolving vulnerability scan alerts that we've long provided. Now you can enjoy the peace of mind with both needs met:  regular quarterly vulnerability scans from a VISA-certified provider and all the help you need to see real and false positive alerts resolved and passing scan certifications given to you for your records.

Note: we've selected SecurityMetrics as our vulnerability scanning partner for 2007. We're familiar of course with ScanAlert and the PCI scanning services they provide in addition to their HackerSafe designation. Many clients make use of this trust-building tool, and receive our help in passing scans. But our experience shows SecurityMetrics scans to be superior for the needs of our e-commerce merchant clientele.

• Here's an explanatory 'primer' on what vulnerability scans are and why they're important (for E-business Coach clients only; login required.)

A business class email system for personal messaging is an important part of the Total Blue System turn-key e-commerce package.  As a client, you get an unlimited number of mailboxes for your company's staff and access to a first-rate webmail client for access on-the-road or away from your daily work computer.

While POP and IMAP email access is available through any desktop email client, we've found many clients choose to access their mail through the web browser -- even when working at the office. It's the webmail client that was just upgraded.

Here are highlighted improvements:

1) User Controlled Sharing / Collaboration.
--a. Shared calendaring is enabled for all users under the domain
--b. Users have the capability of making an entry in the calendar as "private" or "public," --c. Users can restrict who can view their calendar,
--d. Users can select which calendars they wish to be able to view (only calendars for users who have not blocked them).

2)  Layout Changes.  The new layout contains a new tab/menu system and a new left menu.

3)  Performance Enhancements / Bug Fixes.  There are numerous performance related improvements, including bug fixes.

4) Read Mail Improvements.
--a. Ability to save all attachments with one click,
--b. Drag and drop messages,
--c. Added multiple flags,
--d. Added print link to the preview pane,
--e. All addresses in the header are now clickable (will open compose page),
--f. Added folder column to search results when searching multiple folders

5)  Compose Mail Improvements. 
--a. Auto-save drafts,
--b. New HTML editor,
--c. New spell checker including Spanish

6)  Tasks.  Users can create and manage multiple task lists.

7) Shared Calendars. The “Calendar Manager” is comprised of two sections; one for editing a personal calendar, the other for managing which calendars are visible.

8) Invitations. Users have the capability when adding an event to a calendar, to invite other users to the event. Invitations are send out as emails with a specially formatted attachment that can be parsed by the webmail email application, and other “iCal” compliant applications such as Outlook and gmail.

Hosting uptime met our high expectations for the peak Christmas holiday selling season in 2006. An audit completed today measured any instances when e-commerce websites of our clients did not respond to a visitors request to load a web page.  The results show perfect 100% uptime for the last 60 days of the year.

This measurement by our third-party performance monitoring vendor included both slow and no responses from servers. It also overlooks a scheduled maintenance update that resulted in about 1 minute of downtime on 10 December. The result is better than our promised 99.9% uptime service level during the time of year when it counts the most.

Since the 60 day perfect streak, uptime remains strong through January. An instance with one of our e-commerce sites on 21 January triggered a site down alert, but it's unclear what caused it. The problem self-corrected before the next monitoring period could confirm it was in fact a server error. In another instance, a security related test performed on 19 January was predicted to degrade or possibly interrupt hosting uptime but ended up causing no measurable difference in performance. So far so good for January.

Is this just normal behavior for web hosting, or exceptional? A clue to answering that question is in our own performance monitoring reports because we're also monitoring web pages for clients that are engaging our marketing services prior to switching to our Total Blue System e-commerce platform. The results are not the same for uptime nor page load time as those experienced by our clients.

See for yourself in the chart shown below (click on it to see a larger view). This is an excerpt pulled from our monitoring vendor's reports that show first the sites NOT hosted by E-business Coach, and the different uptime for those sites as a point of comparison to sites that we host.

We completed the migration of your site's domain name services from being managed by ZoneEdit.com to our hosting partner Rackspace.com. This consolidates the management of your domain names with your web hosting environment, in what we expect to be a more reliable solution long-term.

E-business Coach manages your domain names so as to maximize the uptime of your e-commerce site, including the important site launch transition when you first become a client. We also use it to create subdomains that point to your test and development websites, as well as subdomains for email marketing and special promotional sites. We've relied on our partner ZoneEdit.com to perform this service, but no longer.

On November 18 and 19, the unscheduled downtime that some of our clients experienced was caused by domain name services failures simultaneously at our primary and secondary name servers, powered by ZoneEdit.com. We have been unsatisfied with how ZoneEdit.com responds to its customers during  service interruptions, and this incident convinced us it wouldn't improve. Thanks for your cooperation during our migration process, especially during this peak selling season when we'd normally make no such system changes. The move went well, and your site experienced zero downtime during the transition.

Part of what comes with Total Blue System's license is unlimited email for your business, including a webmail service so you can check email from anywhere with just a web browser. That webmail service was just upgraded to provide a more "desktop-like" feel.

We rely on our hosting partner Rackspace.com to power your email, specifically their Noteworthy service, which include the webmail feature. Noteworthy's user interface received a substantial upgrade today.

Here's the highlights:

Advantages:

1. Faster webmail navigation

2. Enhanced search capabilities
--a. Can search specifically by folders or search all folders --b. Can search for to, from, body, subject --c. Can add specific search criteria: attachments, dates (or date rang), "does not contain"
--d. Can do a Google Search

3. Enhanced sorting features
--a. Can sort by flagged mails
--b. Can sort by unread mails

4. Noteworthy contains new features but without collaboration
--a. Calendar
--b. Task list
----i. Users can now delete multiple tasks at once
----ii. Simplified functionality for adding tasks (To add a task using the field above the list, simply type the subject and press the "Enter" key)
----iii. Simplified functionality for marking tasks as completed (To mark a task as complete, users click the grey checkmark next to the task)
--c. Company directory
--d. RSS Reader

5. Enhanced RSS Feed editing capability
--a. users can now update the URL, Username, and Password for RSS Feeds

6. Enhanced safelisting and blacklisting functionality --a. users can add IP's to their individual safelists --b. users can add IP's to their individual blacklists

7. Enhanced "Check External Mail" feature to allow users to continue to use webmail while the external mailbox(es) are being checked

8. Internal popups added (so popups are within the same browser window) to several functions
--a. Task Form
--b. Folder / Feed form
--c. Other dialogs

9. Added "envelope" (mail) icon to allow users to click to mark an email as read or unread and toggle back and forth between the two

Disadvantages:

1. Longer initial load time (due to most data loading, including contact lists and calendar features)

2. Some features removed
--a. Feature to set time to 24 hour clock from 12 hour clock removed (in display preferences) --b. Feature to set the wrap (in display preferences) --c. Feature to adjust folder list width in "Folder List Option" no longer presented (changes made manually and the system remembers)

3. Some features removed but will be again in October --a. Export to zip --b. Option to add address to contact list from mail section

4. Removed folder option to "subscribe" or "unsubscribe" to folders

5. Removed "Conversation View" feature

6. Removed "Compose email in a new window" setting, the "compose" feature enables the compose window to use a popup

7. The Up, Down, and Delete keys only work in Internet Explorer

Changes:

1. "Account Options" is now "Settings" and is located in the top right corner

2. In "Settings" "jump to" drop down menu moved to the right side of the interface

3. The "purge" option remains, but the word is replaced with a trashcan icon in the folder list

4. Show sizes (in folder preferences) now a grey button on the top left

5. General visual enhancements (minor interface modifications)

6. "Check Mail" reloads the folder the user is in.

Please alert us to any questions or concerns in how to use this updated application from Noteworthy.