Unencrypted credit card numbers were a gamble that Vegas.com was unwilling to take.
Security implemented to protect credit card data in Microsoft Corp. SQL Server databases not only had to exceed compliance standards but also had to be flexible enough to evolve with the Web site, said Brian Hayashi, Vegas.coms director of engineering.
To help Las Vegas travel and entertainment Web site Vegas.com achieve security compliance with such programs as Visa USA Inc.s Cardholder Information Security Program, which is designed to protect customers of credit card companies, Hayashi deployed twin Ingrian Networks Inc. Ingrian i210 DataSecure Appliances on his production network, with a load balancer to ensure availability. Vegas.com also acquired an Ingrian i211 DataSecure Appliance for its testing lab, where new code is tested before being implemented on the production network.
Vegas.coms first experience with Ingrian Networks was with the vendors SSL (Secure Sockets Layer) acceleration products. Thanks to a positive experience with those products, Vegas.com decided to give Ingrian Networks DataSecure appliances a try.
Initially, Hayashi and his staff planned to develop their own software for encrypting their databases.
Hayashi said he could get basic encryption capabilities from free software solutions. He said that these solutions would have allowed Vegas.com to squeak past regulations, such as the California Security Breach Information Act, but that he wanted to go above and beyond basic requirements.
The problem of internal security breaches—carried out by employees or by people able to gain employee credentials—was one that Vegas.com simply couldnt have. For this reason, Hayashi decided that the application-level encryption provided by Ingrian Networks DataSecure appliances is the best solution for Vegas.com.
Using Ingrian Networks DataSecure appliances, Vegas.com is able to selectively encrypt sensitive database columns (such as those that contain credit card numbers) while leaving other columns unencrypted. Used in conjunction with database look-up, this allows authorized employees to access the information while locking out unauthorized users.
In addition, with this level of security in place, an intruder or rogue employee who is able to gain access to the database would be unable to steal information from protected columns.
Vegas.com currently gets about 60,000 customer visits per day, said Hayashi. Vegas.coms sister site, LasVegas.com, runs on the same infrastructure and gets 50,000 more visitors, he said.
Hayashi said the Ingrian DataSecure appliances have been able to seamlessly protect data without introducing latency for customers, a key consideration. "In our line of business, response time is critical," he said. "Customers will abandon you quickly if latency ruins the user experience."
In searching for a solution, Hayashi paid close attention to how systems store and manage keys. "One of the things we didnt like about software-based encryption solutions was that they stored encryption keys on backup tapes, servers and other pieces of equipment that could be stolen," Hayashi said.
Indeed, one reason Vegas.com went with Ingrians DataSecure appliances is that the devices manage and store encryption keys, so theft of backup media or devices storing information wouldnt turn into an embarrassing identity-theft scandal, said Hayashi.
Looking ahead, Hayashi said he believes Vegas.coms Ingrian solution will be able to scale as the sites client load increases—even if the site moves to an Oracle Corp. database for added functionality. Vegas.coms SQL Server 2000 database is fairly modest, containing roughly 5GB of data, but it is expected to grow as the sites business expands and as the site continues to gain customers.
"We liked the fact that we were implementing Ingrian Networks midlevel solution and that they had more powerful product we could grow into," Hayashi said.