TechnologyMay 01, 2010

eCommerce forecast: cloudy, with a chance of audit

Brad Buhl

It’s Black Friday and your eCommerce server utilization has spiked for hours, sending DoS (denial of service) errors out to over 5,000 potential customers!!!

At this point, most IT professionals would deploy another server in the eCommerce environment as quickly as they could – or ratchet up resources on an eCommerce virtual server instance. What else can be done? Enter cloud…

Cloudy Introductions

I was first introduced to ‘the cloud’ a decade ago, looking at a network topology on a technical architecture diagram (try saying that fast five times). The ‘as-is’ state was a point-to-point solution using multiple T1 lines (but not yet cost justified for a DS3 solution, for you technophiles out there), and the ‘to-be’ state incorporated Frame Relay “over the cloud,” which simply meant there were several T1 lines a hop, skip and jump away from the two physical locations that the network provider would magically manage and integrate, providing network redundancy and ultimately a higher class of service.

It sounded great, but just as in all service contracts at the end of the day, the daily operation of the Frame Relay network came down to service level agreements and penalties. If the penalties weren’t strong enough, the network provider would invariably lower the priority on a service issue until an executive-to-executive (yes, E2E drives B2B) conversation took place along the lines of, “I’d like to review Section 14, Termination, with you.”

So, flash forward to today, where ‘the cloud’ is defined by eCommerce prognosticator Armando Roggio in a June 2009 blog as:

“a somewhat ambiguous concept that describes a blend of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), grid computing (multiple computers working on a single application), and utility computing (pay for consumption) all bunched up in a package that some say should be more scalable, faster to implement, and less costly than traditional application and computing models.”

Roggio goes on to predict that 90% of online retailers will be using “some form of cloud computing” by 2014. Not a bad prediction considering the ambiguous definition and current marketing spend poured into anything ‘cloud’!

Cloud Auditing 101

So, what’s the tangible benefit to the ‘cloud’? Generally, most cloud deployments use a utilization model, so services not being used are not being paid for, same as your electricity bill. With seasonal shifts in online sales activity, then, the cost-benefit is obvious. Then there’s the outsourcing of risk. With a cloud provider taking on the commitment to offer the appropriate resources when your business needs them, not only is your IT department’s migraine reduced to a throbbing headache, but there’s the possibility of actually reducing your audit requirements! That’s great news for any business having to deal with PCI DSS, HIPAA, or SAS 70 audits (not to mention GLBA or SoX).

With regards to general auditing outlooks around the different regulations, then, it’s helpful to look at a summary of Lamont Wood’s Computerworld article on Cloud computing and compliance:

Of the three areas, then, the PCI DSS rules are obviously the most concerning, as the concern involves a discussion on what constitutes a server. Without getting overly technical, and based on the definition of cloud computing already discussed, cloud servers are generally virtual servers, and many virtual servers sit on top of a single physical server. Where PCI will be concerned, then, is in the difference between dedicated physical servers vs. virtual servers, and whether virtual server instances can be ‘locked down’ tightly enough to pass PCI requirements. Ahhh, an auditor’s dream for eCommerce.

This is Major Tom to Cloud Control

So, can eCommerce servers be deployed in the cloud? Of course! Here at Credera, we’ve deployed the Broadleaf Commerce solution to both Rackspace Cloud and Amazon EC2 environments for a testing/development environment with much success! PCI issues aside, cloud computing will continue to be a focus area for both our Technology and Management Consulting groups, especially as it concerns the eCommerce space.

Rackspace has even developed a white paper on cloud based PCI compliant eCommerce solutions, with general notes that an API must be developed with a separate (out of the cloud) payment provider that stores ALL credit card data, so even the user entry of credit card information must be done via the payment processor in a non-cloud environment. Rackspace notes:

“By designing your e-commerce site in this manner, PCI compliance is reduced to a Type A SAQ (Self Assessment Questionnaire) for merchants processing less than 6,000,000 annual transactions. The current version of the Type A SAQ can be obtained at:\_dss.shtml. To achieve compliance when all cardholder information is handled by a partner, you only need to address two of the twelve sections of the complete PCI-DSS (Payment Card Industry – Data Security Standard) and only a subset of the controls in each of those sections. The two sections are (9) Restrict physical access to cardholder data and (12) Maintain a policy that addresses information security.”

Predicting the Weather

A current hot topic in the cloud computing space, PCI is being addressed currently, though the forecasted solution is – well – cloudy. In the meantime, eCommerce retailers and other businesses facing seasonal or inconsistent data processing needs would be well warranted in being better versed on the main question – what can cloud do for you?