Posts Tagged 'Compliance'

July 26, 2016

Cloud HSM: Our secure key management approach

Customers concerned about key management often require a HSM (hardware security module). They want the same level of key protection in the cloud as they do on-premises. An HSM provides guaranteed access to encrypted data by authorized users by storing mission-critical master encryption keys in HSM and backing it up. Powered by SafeNet’s HSM and hosted in geographically dispersed data centers under controlled environments independently validated for compliance, IBM Cloud HSM offers enterprises high-assurance protection for encryption keys and also helps customers meet their corporate, contractual, and regulatory compliance requirements.

You can easily order Cloud HSM through the SoftLayer customer portal or Softlayer APIs. A dedicated FIPS complaint HSM device will be provisioned inside your private network.

Your HSM access credentials that are provided to you are reset as part of your first login. This ensures that you are the only entity with access to your HSM functionality. SoftLayer is responsible for the management of the HSM in terms of health and uptime; this is done without access to the partitions, roles, keys stored and managed on the HSM. You are responsible for the use of the HSM to manage and backup the customer’s keys.

Cloud HSM supports a variety of use cases and applications, such as database encryption, digital rights management (DRM), public key infrastructure (PKI), authentication and authorization, document signing, and transaction processing. NAT and IP aliasing will not work with HSM, while BYOIP might be possible in future. Currently, HSM is not in federal data centers, but it certainly is on the roadmap.

Configuration

Cloud HSM is “used” and accessed in exactly the same way as an on-prem managed HSM.

As part of provisioning, you receive administrator credentials for the appliance, initialize the HSM, manage the HSM, create roles and create HSM partitions on the appliance. After creating HSM partitions, you can configure a Luna client (on a virtual server) that allows applications to use the APIs provided by the HSM. The cryptographic partition is a logical and physical security boundary whose knowledge is secure with the partition owner authorized by you. Any attempts to tamper the physical appliance will result in data being erased. Similarly incorrect attempts to login beyond a threshold will result in erasing partitions, hence we highly recommend backing up your keys.

Cloud HSM logical architecture

Cloud HSM logical architecture

The following diagram illustrates the roles and responsibilities of SoftLayer and the customer:

Cloud HSM roles and responsibilities of SoftLayer and the customer

Cloud HSM roles and responsibilities of SoftLayer and the customer

Cloud HSM key features

  • Secure key storage: With multiple levels of authorization and tamper proof,  FIPS 140-2 compliant hardware is provisioned in a private network in a secure data center and ensures the safety of your data. SoftLayer has no access to your keys and the device is completely owned by the customer until cancelled.
  • Reliable key storage: Customers are encouraged to back up the keys and configure HSMs in high availability mode. SoftLayer will monitor uptime and connectivity.
  • Compliance requirements: SafeNet’s FIPS 140-2 validated appliance helps you meet the requirements of many compliance standards, including PCI-DSS.
  • Improved and secure connectivity: HSMs are deployed in your private VLAN to maintain more efficient and secure connectivity. Deploying a physical HSM appliance versus software running on a general purpose server provides users with an appliance that is built to handle the resource-intensive tasks of cryptography processing while reducing the latency to applications.
  • Audit requirements: Audit logs can be found on the HSM appliance.
  • On-demand: Cloud HSM can be easily ordered and canceled using the SoftLayer customer portal or APIs and are modeled to scale rapidly. Pricing model involves one-time setup fee and recurring monthly fees.

     

-Neetu

Categories: 
February 10, 2016

The Compliance Commons: Do you know our ISOs?

Editor’s note: This is the first of a three-part series designed to address general compliance topics and to answer frequently asked compliance questions.

How many times have you been asked by a customer if SoftLayer is ISO compliant?  Do you ever find yourself struggling for an immediate answer?  If so, you're not alone. 

ISO stands for International Organization for Standardization. The organization has published more than 19,000 international standards, covering almost all aspects of technology and business. If you have any questions about a specific ISO standard, you can search the ISO website. If you would like the full details of any ISO standard, an online copy of the standard can be purchased through their website. 

SoftLayer holds three ISO certifications, and we’re going after more. We offer industry standard best security practices relating to cloud infrastructure, including: 

ISO/IEC 27001: This certification covers the information security management process. It certifies that SoftLayer offers best security practices in the industry relating to cloud infrastructure as a service (IaaS). Going through this process and obtaining certification means that SoftLayer observes industry best practices in offering a safe and secure place to live in the cloud. It also means that our information security management practices adhere to strict, internationally recognized best practices.

ISO/IEC 27018: This certifies that SoftLayer follows the most stringent code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. It establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. While not all of SoftLayer is public and while we have very distinct definitions for processing PII for customers, we decided to obtain the certification to solidify our security and privacy principles as robust.

ISO/IEC 27017: This is a code of practice for information security controls for cloud services.  It’s the global standard for cloud security practices—not only for what SoftLayer should do, but also for what our customers should do to protect information. SoftLayer’s ISO 27017 certification demonstrates our continued commitment to upholding the highest, most secure information security controls and applying them effectively and efficiently to our cloud infrastructure environment. The standard provides guidance in, but not limited to, the following areas:

  • Information Security
  • Human Resources
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and Environmental Security
  • Operations Security
  • Communications Security
  • System Acquisition, Development & Maintenance
  • Supplier Relations
  • Incident Management
  • Business Continuity Management
  • Compliance
  • Network Security

How can SoftLayer’s ISO certification benefit me as a customer?

Customers can leverage SoftLayer’s certifications as long as it’s done in the proper manner. Customers cannot claim that they’re ISO certified just because they’re using SoftLayer infrastructure. That’s not how it works. SoftLayer’s ISO certifications may make it easier for customers to become certified because they can leverage our certification for the SoftLayer boundary. Our SOC2 report (available through our customer portal or sales team) describes our boundary in greater detail: the customers are not responsible for certifying what’s inside SoftLayer’s boundary.  

ISO File

How does SoftLayer prove its ISO compliance?

SoftLayer’s ISO Certificates of Registration are publicly available on our website and on our third-party assessor’s website. By design, our ISO certificates denote that we conform to and meet all the applicable objectives of each standard. Since the ISO standards are steadfast and constant controls for everyone, we don’t offer our reports from the audits, but we can provide our certificates.

What SoftLayer data centers are applicable to the ISO certifications?

All of them! Each ISO certificate is applicable to every one of our data centers, in the U.S. and internationally. SoftLayer obtained ISO certifications on every one of our facilities because we operate with consistency across the globe. When a new SoftLayer data center comes online, there is some lag time between opening and certification because we need to be reviewed by our third-party assessor and have operational evidence available to support our data center certification. But as soon as we obtain the certifications, we’ll make them available.

Visit www.softlayer.com/compliance for a full list of our certifications and reports. They can also be found through the customer portal.

-Dana

 

August 11, 2014

I PLEB Allegiance to My Data!

As a "techy turned marketing turned social media turned compliance turned security turned management" guy, I have had the pleasure of talking to many different customers over the years and have heard horror stories about data loss, data destruction, and data availability. I have also heard great stories about how to protect data and the differing ways to approach data protection.

On a daily basis, I deal with NIST 800-53 rev.4, PCI, HIPAA, CSA, FFIEC, and SOC controls among many others. I also deal with specific customer security worksheets that ask for information about how we (SoftLayer) protect their data in the cloud.

My first response is always, WE DON’T!

The looks I’ve seen on faces in reaction to that response over the years have been priceless. Not just from customers but from auditors’ faces as well.

  • They ask how we back up customer data. We don’t.
  • They ask how we make it redundant. We don’t.
  • They ask how we make it available 99.99 percent of the time. We don’t.

I have to explain to them that SoftLayer is simply infrastructure as a service (IaaS), and we stop there. All other data planning should be done by the customer. OK, you busted me, we do offer managed services as an additional option. We help the customer using that service to configure and protect their data.

We hear from people about Personal Health Information (PHI), credit card data, government data, banking data, insurance data, proprietary information related to code and data structure, and APIs that should be protected with their lives, etc. What is the one running theme? It’s data. And data is data folks, plain and simple!

Photographers want to protect their pictures, chefs want to protect their recipes, grandparents want to protect the pictures of their grandkids, and the Dallas Cowboys want to protect their playbook (not that it is exciting or anything). Data is data, and it should be protected.

So how do you go about doing that? That's where PLEB, the weird acronym in the title of this post, comes in!

PLEB stands for Physical, Logical, Encryption, Backups.

If you take those four topics into consideration when dealing with any type of data, you can limit the risk associated with data loss, destruction, and availability. Let’s look at the details of the four topics:

  • Physical Security—In a cloud model it is on the shoulders of the cloud service provider (CSP) to meet strict requirements of a regulated workload. Your CSP should have robust physical controls in place. They should be SOC2 audited, and you should request the SOC2 report showing little or no exceptions. Think cameras, guards, key card access, bio access, glass alarms, motion detectors, etc. Some, if not all, of these should make your list of must-haves.
  • Logical Access—This is likely a shared control family when dealing with cloud. If the CSP has a portal that can make changes to your systems and the portal has a permissions engine allowing you to add users, then that portion of logical access is a shared control. First, the CSP should protect its portal permission system, while the customer should protect admin access to the portal by creating new privileged users who can make changes to systems. Second, and just as important, when provisioning you must remove the initial credentials setup and add new, private credentials and restrict access accordingly. Note, that it’s strictly a customer control.
  • Encryption—There are many ways to achieve encryption, both at rest and in transit. For data at rest you can use full disk encryption, virtual disk encryption, file or folder encryption, and/or volume encryption. This is required for many regulated workloads and is a great idea for any type of data with personal value. For public data in transit, you should consider SSL or TLS, depending on your needs. For backend connectivity from your place of business, office, or home into your cloud infrastructure, you should consider a secure VPN tunnel for encryption.
  • Backups—I can’t stress enough that backups are not just the right thing to do, they are essential, especially when using IaaS. You want a copy at the CSP you can use if you need to restore quickly. But, you want another copy in a different location upon the chance of a disaster that WILL be out of your control.

So take the PLEB and mitigate risk related to data loss, data destruction, and data availability. Trust me—you will be glad you did.

-@skinman454

January 10, 2014

Platform Improvements: VLAN Management

As director of product development, I'm tasked with providing SoftLayer customers greater usability and self-service tools on our platform. Often, that challenge involves finding, testing, and introducing new products, but a significant amount of my attention focuses on internal projects to tweak and improve our existing products and services. To give you an idea of what that kind of "behind the scenes" project looks like, I'll fill you in on a few of the updates we recently rolled out to improve the way customers interact with and manage their Virtual LANs (VLANs).

VLANs play a significant role in SoftLayer's platform. In the most basic sense, VLANs fool servers into thinking they're behind the same network switch. If you have multiple servers in the same data center and behind the same router, you could have them all on the same VLAN, and all traffic between the servers would be handled at the layer-2 network level. For customers with multi-tier applications, zones can be created to isolate specific servers into separate VLANs — database servers, app servers, and Web servers can all be isolated in their own security partitions to meet specific security and/or compliance requirements.

In the past, VLANs were all issued distinct numbers so that we could logically and consistently differentiate them from each other. That utilitarian approach has proven to be functional, but we noticed an opportunity to make the naming and management of VLANs more customer-friendly without losing that functionality. Because many of our customers operate large environments with multiple VLANs, they've had the challenge of remembering which servers live behind which VLAN number, and the process of organizing all of that information was pretty daunting. Imagine an old telephone switchboard with criss-crossing wires connecting several numbered jacks (and not connecting others). This is where our new improvements come in.

Customers now have the ability to name their VLANs, and we've made updates that increase visibility into the resources (servers, firewalls, gateways, and subnets) that reside inside specific VLANs. In practice, that means you can name your VLAN that houses database servers "DB" or label it to pinpoint a specific department inside your organization. When you need to find one of those VLANs, you can easily search for it by name and make changes to it easily.

VLAN List View

VLAN Naming

VLAN Detail Page

VLAN Naming

While these little improvements may seem simple, they make life much easier for IT departments and sysadmins with large, complex environments. If you don't need this kind of functionality, we don't throw it in your face, but if you do need it, we make it clear and easily accessible.

If you ever come across quirks in the portal that you'd like us to address, please let us know. We love making big waves by announcing new products and services, but we get as much (or more) joy from finding subtle ways to streamline and improve the way our customers interact with our platform.

-Bryce

October 16, 2012

An Introduction to Risk Management

Whether you're managing a SaaS solution for thousands of large clients around the world or you're running a small mail server for a few mom-and-pop businesses in your neighborhood, you're providing IT service for a fee — and your customers expect you to deliver. It's easy to get caught up in focusing your attention and energy on day-to-day operations, and in doing so, you might neglect some of the looming risks that threaten the continuity of your business. You need to prioritize risk assessment and management.

Just reading that you need to invest in "Risk Management" probably makes you shudder. Admittedly, when a business owner has to start quantifying and qualifying potential areas of business risk, the process can seem daunting and full of questions ... "What kinds of risks should I be concerned with?" "Once I find a potential risk, should I mitigate it? Avoid it? Accept it?" "How much do I need to spend on risk management?"

When it comes to risk management in hosting, the biggest topics are information security, backups and disaster recovery. While those general topics are common, each business's needs will differ greatly in each area. Because risk management isn't a very "cookie-cutter" process, it's intimidating. It's important to understand that protecting your business from risks isn't a destination ... it's a journey, and whatever you do, you'll be better off than you were before you did it.

Because there's not a "100% Complete" moment in the process of risk management, some people think it's futile — a gross waste of time and resources. History would suggest that risk management can save companies millions of dollars, and that's just when you look at failures. You don't see headlines when businesses effectively protect themselves from attempted hacks or when sites automatically fail over to a new server after a hardware failure.

It's unfortunate how often confidential customer data is unintentionally released by employees or breached by malicious attackers. Especially because those instances are often so easily preventable. When you understand the potential risks of your business's confidential data in the hands of the wrong people (whether malicious attackers or careless employees), you'll usually take action to avoid quantifiable losses like monetary fines and unquantifiable ones like the loss of your reputation.

More and more, regulations are being put in place to holding companies accountable for protecting their sensitive information. In the healthcare industry businesses have to meet the strict Health Insurance Portability and Accountability Act (HIPAA) regulations. Sites that accept credit card payments online are required to operate in Payment Card Industry (PCI) Compliance. Data centers will spend hours (and hours and hours) achieving and maintaining their SSAE 16 certification. These rules and requirements are not arbitrarily designed to be restrictive (though they can feel that way sometimes) ... They are based on best practices to ultimately protect businesses in those industries from risks that are common throughout the respective industry.

Over the coming months, I'll discuss ways that you as a SoftLayer customer can mitigate and manage your risk. We'll talk about security and backup plans that will incrementally protect your business and your customers. While we won't get to the destination of 100% risk-mitigated operations, we'll get you walking down the path of continuous risk assessment, identification and mitigation.

Stay tuned!

-Matthew

December 30, 2011

The Pros and Cons of Two-Factor Authentication

The government (FISMA), banks (PCI) and the healthcare industry are huge proponents of two-factor authentication, a security measure that requires two different kinds of evidence that you are who you say you are ... or that you should have access to what you're trying to access. In many cases, it involves using a combination of a physical device and a secure password, so those huge industries were early adopters of the practice. In our definition, two-factor authentication is providing "something you know, and something you have." When you're talking about national security, money or people's lives, you don't want someone with "password" as their password to unwittingly share his or her access to reams valuable information.

What is there not to like about two-factor identification?

That question is one of the biggest issues I've run into as we continue pursuing compliance and best practices in security ... We can turn on two-factor authentication everywhere – the portal, the vpn, the PoPs, internal servers, desktops, wireless devices – and make the entire SoftLayer IS team hate us, or we can tell all the admins, auditors and security chiefs of the world to harden their infrastructure without it.

Regardless of which direction we go, someone isn't going to like me when this decision is made.

There are definite pros and cons of implementing and requiring two-factor authentication everywhere, so I started a running list that I've copied below. At the end of this post, I'd love for you to weigh in with your thoughts on this subject. Any ideas and perspective you can provide as a customer will help us make informed decisions as we move forward.

Pros

  • It's secure. Really secure.
  • It is a great deterrent. Why even try to hack an account when you know a secondary token is going to be needed (and only good for a few seconds)?
  • It can keep you or your company from being in the news for all the wrong reasons!

Cons

  • It's slow and cumbersome ... Let's do some math, 700 employees, 6 logins per day on average means 4200 logins per day. Assume 4 seconds per two-factor login, and you're looking at 16,800 extra seconds (4.66 hours) a day shifted from productivity to simply logging into your systems.
  • Users have to "have" their "something you have" all the time ... Whether that's an iPhone, a keyfob or a credit card-sized token card.
  • RSA SecureID was HACKED! I know of at least one financial firm that had to turn off two-factor authentication after this came up.
  • People don't like the extra typing.
  • System Administrators hate the overhead on their systems and the extra points of failure.

As you can start to see, the volume of cons out weigh out the pros, but the comparison isn't necessarily quantitative. If one point is qualitatively more significant than two hundred contrasting points, which do you pay attention to? If you say "the significant point," then the question becomes how we quantify the qualitativeness ... if that makes any sense.

I had been a long-time hater of two-factor authentication because of my history as a Windows sysadmin, but as I've progressed in my career, I hate to admit that I became a solid member of Team Two-Factor and support its merits. I think the qualitative significance of the pros out weigh the quantitative advantage the cons have, so as much as it hurts, I now get to try to sway our senior systems managers to the dark side as well.

If you support my push for further two-factor authentication implementation, wish me luck ('cause I will need it). If you're on Team Anti-Two-Factor, let me know what they key points are when you've decided against it.

-@skinman454

December 13, 2011

Do Your Homework!

As far back as I can remember, I hated homework. Homework was cutting into MY time as a kid, then teenager, then young adult ... and since I am still a "young adult," that's where I have to stop my list. One of the unfortunate realizations that I've come to in my "young adult" life is that homework can be a good thing. I know that sounds crazy, so I've come prepared with a couple of examples:

The Growing Small Business Example
You run a small Internet business, and you've been slowly growing over the years until suddenly you get your product/service mix just right and a wave of customers are beating down the door ... or in your case, they're beating down your website. The excitement of the surge in business is quickly replaced by panic, and you find yourself searching for cheap web servers that can be provisioned quickly. You find one that looks legit and you buy a dozen new dedicated servers and some cloud storage.

You alert your customers of the maintenance window and spend the weekend migrating and your now-valuable site to the new infrastructure. On Monday, you get the new site tuned and ready, and you hit the "go" button. Your customers are back, flocking to the site again, and all is golden. As the site gains more traffic over the next couple of weeks, you start to see some network lag and some interesting issues with hardware. You see a thread or two in the social media world about your new shiny site becoming slow and cumbersome, and you look at the network graphs where you notice there are some capacity issues with your provider.

Frustrated, you do a little "homework," and you find out that the cheap service provider you chose has a sketchy history and many complaints about the quality of their network. As a result, you go on a new search for a hosting provider with good reviews, and you have to hang another maintenance sign while you do all the hard work behind the scenes once again. Not doing your homework before making the switch in this case probably cost you a good amount of sleep, some valuable business, and the quality of service you wanted to provide your customers.

The Compliance-Focused Example
I still live, eat, and breathe compliance for SoftLayer, and we had an eye-opening experience when sorting through the many compliance differences. As you probably recall (Skinson 1634AR15), I feel like everyone should agree to an all-inclusive compliance model and stick to just that one, but that feeling hasn't caught on anywhere outside of our office.

In 2011, SoftLayer ramped up some of our compliance efforts and started planning for 2012. With all the differences in how compliance processes for things like FISMA, HIPAA, PCI Level 1 - 4, SSAE16, SOC 1 and SOC2 are measured, it was tough to work on one without affecting another. We were working with a few different vendors, if we flipped "Switch A," Auditor #1 was happy. When we told Auditor #2 that we flipped "Switch A," they hated it so much they almost started crying. It started to become the good ol' "our way is not just the better way, it's the only way" scenario.

So what did we do? Homework! We spent the last six months looking at all the compliances and mapping them against each other. Surprisingly enough, we started noticing a lot of similarities. From there, we started interviewing auditing and compliance firms and finally found one that was ahead of us in the similarity game and already had a matrix of similarities and best practices that affect most (if not all) of the compliances we wanted to focus on.

Not only did a little homework save us a ton of cash in the long run, it saved the small trees and bushes under the offices of our compliance department from the bodies that would inevitably crash down on them when we all scampered away from the chaos and confusion seemingly inherent in pursuing multiple difference compliances at the same time.

The moral of the story: Kiddos, do your homework. It really is good for something, we promise.

-@Skinman454

September 7, 2011

3DCart: Tech Partner Spotlight

This is a guest blog from 3DCart Co-founder and CEO Gonazlo Gil. 3DCart is a technology partner with a robust eCommerce platform hosting thousands of merchants all over the world ... And it's clear they have an enduring drive for innovation and value.

Company Website: http://www.3DCart.com/
Tech Partners Marketplace: http://www.softlayer.com/marketplace/3dcart

5 Must-Have Features in a Hosted Ecommerce Provider

In 1997, the concept that would eventually become 3DCart came into existence. I developed 3DCart with the idea of putting every single ecommerce tool and resource at the fingertips of web entrepreneurs so anyone with a computer could start their own online store. Today, we're still going strong, and we pride ourselves on launching new ecommerce features before the competition has a chance.

The market for shopping carts has exploded over the past decade. If you're considering the ecommerce business, choosing a shopping cart can get overwhelming. Because not all ecommerce software solutions are created equal, we've put together a list of five must-have features for aspiring entrepreneurs to consider when choosing a hosted ecommerce provider.

1. PCI Compliance to Protect Customer Information
You hear about it on the web, on the television, in the magazines: cyber-theft. Recent instances of online fraud (like the hack of Playstation's network) have caused online shoppers to stiffen up when it comes to sharing financial information. For your sake and the sake of your customers, it's important to put the minds of shoppers at ease as soon as they discover your brand.

Born from new rules created by the Payment Card Industry, PCI compliance standards are stringent guidelines for ensuring your online store is up to code in terms of security. The last thing you need as an online storeowner is responsibility for losing sensitive personal data to fraudsters. Beyond general culpability, you run the risk of losing trust in your brand, which could sink your business entirely.

The process for reaching PCI compliance is vigorous and expensive. That's why most ecommerce software providers undergo PCI compliance measures on their own — so online stores can offer security to their customers. It offers a little more peace of mind on both sides of the business relationship and ensures your transactions go through smoothly.

2. 24/7 Phone Support for Peace of Mind
You've worked with software companies before, so the possibility of 24/7 phone support might seem like a laughable service. True: not many software companies are in the business of employing an onshore support staff to have the phones manned all hours of the day. But that doesn't mean they aren't out there.

Not too long ago, 3DCart noticed a chance to further differentiate our company from the competition to offer 24/7/365 phone support for free to all of our customers. The idea behind the value-add was that your direct support lifeline shouldn't end just because business hours are over. It's been an extremely successful service for us, as well as for our customers.

Think about it: an online store doesn't close when the lights go out — especially if you do international business. The ability to connect after hours with a support team in the most extreme cases (downtime, bugs, etc.) is a huge factor and one that many customers cite as a reason for choosing our company.

3. Scalability/Adaptability to Handle Growth
The most successful online stores will inevitably have to scale up their ecommerce offering. Therefore, scalability becomes a huge criterion for finding the right hosted ecommerce provider.

But the ability to scale hosting volume as the business grows organically isn't the only important factor. If your store runs a promotion or gets a mention in a high-profile publication, it'll need to handle heavy traffic spikes. After all, you wouldn't want your store to crash right as it peaks in popularity.

A lot of hosted ecommerce solutions advertise scalability—but how do you know that they're telling the truth? A good way to find proof is to run through the company's case studies, usually hosted somewhere on the site. You're bound to come across one that demonstrates a specific instance of on-demand scaling. If that's not enough, contact the subject of the study directly for confirmation.

Customizability falls under this category as well. The more dynamic the shopping cart, the more control you have over your brand. Simple ways to manage your content are important and should be easy to manipulate with an intuitive CMS.

4. Comprehensive Feature Set for All-In-One Functionality
If you have a good business plan and know what you're going to sell, you probably already have a good idea of what features are going to be most crucial to your business. But that doesn't mean you won't need other features — some of which you might not grasp the importance.

Below are a few features that make the ecommerce experience a much more efficient, connected experience:

  • Autoresponders
    Setting and forgetting autoresponders is a great way to add some automation to your marketing plan. If you sell perishable goods for instance, you can set an automatic email to send to the customer when the lifespan of the product is up. It greatly increases the chances that they'll replace the item through your store.
  • Customer Relationship Manager
    Since you're hosting all of your data in the cloud, a built-in CRM platform is an important part of collecting analytics on customer behavior. You probably won't need all the functionality of Salesforce; a built-in CRM that has a lot of the same functionality automatically collects the data you need through your online store.
  • Great Marketing Tools
    Outside the box marketing tools like "Daily Deals," "Group Deals" and "Name Your Price" features greatly enhance conversion rates and make the selling process even more effective.
  • More Ways to Pay
    If you offer more payment portal integrations than your typical shopping cart, you give customers the option to pay using a comfortable, familiar process that increases the likelihood they'll make a purchase. Popular options include PayPal, Amazon Payments, Google Checkout and Authorize.net.
  • Partner Integrations
    To make a store more efficient, some shopping carts offer integrations with shipping resources (FedEx, UPS), fulfillment services and tax software. A direct data feed reduces manual administration and helps your store stay as efficient as possible, saving you time and money. You might even get discounts for services booked through your ecommerce provider.

5. Low Fees for a Lower Overhead
The pricing for hosted shopping carts usually revolves around bandwidth and feature sets, but there's a pitfall that some online store owners don't notice until it's too late: per-sale fees. There are some hosted shopping cart software platforms on the market that charge a percentage of every sale.

Another cost that new online storeowners run into is a setup fee. It's usually unnecessary and a way for the vendor to collect extra revenue. Pricing should revolve around hosting costs, feature sets and extra services like storefront design, period. Remember to check for hidden fees if you're evaluating an ecommerce software solution.

3DCart's Foundation
The five criteria listed above form the foundation of 3DCart software. Over the years, we've found that our customers have some of the most influential voices in the ecommerce industry. We've built a community on those voices that plays a huge role in defining how we do business.

If you're looking to break into the online retail industry and want a proprietary shopping cart that offers you the insights you need to keep your business growing smoothly, give us a shot for free.

-Gonzalo Gil, 3DCart

This guest blog series highlights companies in SoftLayer's Technology Partners Marketplace.
These Partners have built their businesses on the SoftLayer Platform, and we're excited for them to tell their stories. New Partners will be added to the Marketplace each month, so stay tuned for many more come.
July 14, 2011

Skinson 1634AR15 Compliance

Skinson's 1634AR15 Competency Controlled Certification of Compliance
New Compliance structure makes a compliance officer's life much easier.

Dallas -- In a world where auditor to auditor reports are out of control and we have a mountain of complex compliances to worry about, one competent compliancy controlled certification of compliance finally comes forth (and not a minute too soon).

"This new groundbreaking idea will change the lives of many competing auditing firms, law firms, accounting firms and so on," says Steve Kinman. "I spend countless hours reading controls for one report and different controls for another report, and the only difference is the verbiage and format."

The new Skinson 1634AR15 Certification combines your SAS70, SSAE16, ROC, VOC, SOC, NIST, SARBOX, PCI, OMB, ACART, CFDA, HIPAA and SAFE HARBOR compliance into a single report using a set framework that automorphs based upon which auditor is touching the report or viewing it in the state of the art Skinson Portal.

"The Skinson portal is mind-blowing," says Val Stinson. "The automorph feature is something straight out of the movies. It knows who is reading and can change the wording on the fly. This keeps auditors from scratching their heads when the words in the report don't match the words their instruction book."

The introductory price for full Skinson 1634AR15 Compliance Certification is $1,000,000 USD. This is all-inclusive and will sufficiently cover all of your compliance needs.

Contact:
Steve Kinman
skinman@softlayer.com

About Skinson
Headquartered in Dallas, Texas, Skinson is a fictional company that likes to poke fun at the difficult job of compliance in the world. While we find that it can be overwhelming at times, we understand that compliance is a necessary evil. We would like to note that something like we dream about above would be very nice and would save the world a ton of work and cut down on our carbon footprint considerably. If you are in a position of control and can make the above happen please help us!!

On a side note, SoftLayer will do everything we can to help you with any compliance you need. Just ask your local sales team for help, and they will find the right person and get you in contact.

-@skinman454

P.S. The actual reason for this blog post is that we just announced that the control procedures and compliance for our 11 data centers have been verified in a Service Organization Control Report (SOC 1) prepared under the terms of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) by independent auditing firm Weaver.

Subscribe to compliance