Security Experts:

Don't Let The Grinch Steal Your Traffic!

How To Keep Your Website Secure This Holiday Season

With the launch of the post-Thanksgiving sales now in the recent past and the holiday shopping season well and truly upon us, e-commerce companies in the United States and elsewhere around the world are nervously monitoring their Web infrastructure and operations to make sure they remain online and respond quickly as traffic increases. eMarketer estimates that 2010 US online holiday sales will reach $38.5 billion as consumers seeking convenience, selection and great deals are shifting a larger share of their purchases to the Internet. In such an environment, ensuring the security and stability of mission-critical, revenue-generating Web sites is a greater imperative than ever.

While the rush for Cyber Monday and Black Friday bargains receive the most media attention, they are not always the biggest day for holiday retail sales, according to the National Retail Federation. That honor is often held by the last Saturday before Christmas. There can be no denying that the next few weeks are the most important to the retail sector. Overall, the last two months of the year can account for as much as 40 percent of total annual sales for some US retailers, with some $447 billion of goods expected to be sold over the period this year. With consumers increasingly looking online for price and convenience, bigger slices of this seasonal sales pie are coming to rely upon stable e-commerce Web sites.

Protecting Web Sites

Just as in the offline world, a vast influx of genuine and enthusiastic customers can present risks. Web sites can be brought to their knees by large numbers of bargain hunters and panicking last-minute gift buyers. For any e-commerce site, downtime during the holiday season is unthinkable, and yet even the largest sites still suffer from performance problems, and sometimes outages, every time the pre-Christmas shopping rush comes around. In the 2009 holiday period, Web performance measurement company Keynote Systems found that at least six of the major e-commerce sites it tracks suffered what it called "meltdown", with nine more experiencing "major slowdowns." As anybody who has ever closed their browser in frustration while trying to navigate a shopping cart or checkout on an unresponsive Web site will appreciate, poor performance directly leads to lost revenue. Availability means more than just up-time.

Many organizations already have special technology policies that come into play at this time of year, for example putting a hold on upgrades to their live e-commerce applications. Nobody wants to take new code into a production environment during a period of heavy sales that would be particularly sensitive to disruption, so these projects are often put on a back-burner until the New Year. Similar seasonal policies regarding security and availability are worth considering too. With so much revenue relying upon such a relatively short period of time, online businesses cannot afford to fall victim to the opportunistic wrongdoers who would seek to cause mischief during this critical period.

Here are a few things that you should check on to ensure that your site will remain stable this holiday shopping season:

#1: Ensure your systems are up to date, patched and correctly configured

No e-commerce company should go into the holiday period with un-patched or poorly configured systems. The pre-season watershed is a perfect opportunity for an audit, ensuring that all systems are fully patched and defended against known and zero-day exploits in advance of the anticipated influx of customers. Systems should be scanned for rootkits, which are increasingly becoming the back doors by which malefactors enter organizations' networks. And, bearing in mind that the Common Vulnerabilities and Exposures list currently publishes on average 10 new vulnerabilities every day, ongoing patching and vulnerability awareness is a must throughout.

#2: Eliminate bottlenecks

Availability and redundancy are also key. Over-provisioning and avoiding bottlenecks wherever they might occur are crucial strategies when it comes to maintaining up-time and ensuring stable performance. Companies are already finding value in new cloud services that allow them to more quickly and economically ramp up capacity during times of great demand. Local and global load-balancing have long been recognized as winning strategies for spreading the risk of impairment and downtime between servers and geographically distributed nodes. Nowadays, no serious e-commerce company would even consider sole-sourcing a hosting or connectivity service.

#3: Create a redundant DNS network

Making sure consumers can get to your web site is as important as staying stable once they get to it. This is done via the Domain Name System, a sometimes overlooked potential bottleneck. It is estimated that about 10% of all e-commerce access occurs via mobile devices such as the iPhone, Android devices or the iPad, which often access the Internet through slower cell-based networks – being fast and easily accessible on the DNS is more critical now than ever before. The best way to ensure performance is by implementing IP Anycast on your name servers, and by adding a reliable secondary DNS provider to ensure redundancy. Anycast is a load-balancing technology that is widely deployed and used to reduce the risk of website downtime.

In the few short years since terms like "Cyber Monday" were first coined, performance-monitoring companies have noted incremental improvements with how the companies most sensitive to holiday period seasonality cope with the increased pressure. Technology is improving, best practices are becoming more widely adopted, and capacity is becoming easier to come by. While struggling through the busy season can still be challenging, using the strategies listed above might help your organization sail through to the New Year without a major crisis.

Subscribe to the SecurityWeek Email Briefing
view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.
view counter