Introduction F or nearly three hours on a Tuesday in June, 2010, Amazon.com was down. Its pages were empty and its search functions and shopping cart didnt woik. Within minutes, thousanus of tweets about the pioblem began flying. For a site that averages some $51,400 in sales and revenue every minute, the downtime could have cost Amazon $9.2 million dollars, according to the web site Technologizer. 1 E-commerce and retail A "glitch" cost zappos $1.6 million in less than 8 hours. 2011 Bleum 2 Zappos knows how Amazon feels. Between midnight and dawn one day in May 2010, a glitch on its sister website 6pm.com somehow capped prices for most Zappos products at $49.95. Zappos lost $1.6 million during that overnight stretch. Its losses would have been much higher if the problem had occurred during the day. Traditional retailers havent escaped costly and embarrassing online problems either. For much of Black Friday 2010 and sporadically for the rest of the week, including Cyber Monday, J.C. Penney experienced response times of up to 90 seconds. According to monitoring done by web performance management software fiim AleitSite, the long iesponse times caused the home page, search, add to cart and proceed to checkout functions to repeatedly time out and not complete sales. 0nlike }.C. Penney, Williams-Sonoma's e-commerce site did exceptionally well during the 2010 peak holiday season. Its near-impeccable availability stood at 99.98%, with an average response time of 11.58 seconds, according to Alertsite. Because of this, Alertsite ranked Williams-Sonoma as the retailer providing the best overall experience to shoppers in 2010. Not suipiisingly, Williams-Sonoma's web sales rose 26% to $1.2 billion in 2010, a particularly important gain since its retail sales grew less than 10% over the same period, ending at $2 billion. Sales aie not the only factoi influencing the peifoimance of e-commerce sites; security is also critical. Ask any banking institution that fell victim to the recent string of cyber attacks and they will tell you how impoitant, anu uifficult, a piopei security regime is. Citigroups May 2011 attack had hackers accessing the data of 1%, or an estimated 210,000, Citigroup customers according to the International Business Times. Whether or not fraudulent charges on these accounts have been made is still in question. As these high-piofile cases illustiate, getting e-commerce right is tough for even the savviest of companies. However, it is essential as the Internet is increasingly having an outsized impact on company reputation, growth and market share. The key is a rock-solid foundation incorporating security, reliability and operational excellence. As a growing list of e-commerce sites have discovered, however, what was sufficient foi secuiity, ieliability anu performance even last year has become inadequate for succeeding in the online marketplace of today and certainly, of tomorrow. Companies need to strengthen their e-commerce platform now or risk putting their organizations at a strategic disadvantage especially in lost sales, customer defections, bad publicity or even lawsuits. Identifying and adopting processes to ensure best practices in security, reliability and performance will separate the top performing e-commerce sites from those that merely survive. The Price of Online Success Building Block: Security "Web infuenced" retail sales- 2010: 46% of U.S. total retail 2014: 53% of U.S. total retail Forrester 3 E-commerce and retail Ironically, many e-commerce sites are suffering from their success. Originally built over the last decade, many online stores have enjoyed an explosion in sales anu now account foi 7% of total 0.S. ietail sales, according to Forrester Research. But that modest share of total sales does not begin to convey the full importance of an organizations online piesence. The fact is, websites have become the fiist stop for consumers to compare brands, prices, features, reviews and all manner of information for anything from hotel rooms and airline tickets, to computers, shoes, tractors and refrigerators. This holds true even if a consumer ultimately buys a product through other channels. Forrester Research estimates that more than $1 tiillion in ietail sales in 2u1u weie "web-influenceu." It also estimates that online anu web-influenceu offline sales togethei accounteu foi 46% of total 0.S. retail sales last year and will grow to 53% of the total, or $1.65 trillion, by 2014. With online business booming, companies are layering their websites with new patches, protections Secuiity issues aie evolving iapiuly. Backeis aie relentless and becoming increasingly sophisticated, as Sony uiscoveieu to theii ueep embaiiassment in Nay 2u11. In fact, a iecent Symantec iepoit noteu that cyber attacks increased 93% from 2009 to 2010. The total cost to 0.S. companies last yeai was $S7 billion, according to Javelin Research. Companies face additional security challenges from within, not the least of which are disgruntled or criminal employees and ex-employees. For most companies, however, their greatest vulnerability is due to a dual failure: a selective rather than comprehensive approach to incorporating security measures; and a lack of consistency in applying security measures. anu capabilities. Some unueilying technologies, though, are reaching their limits. The need to address the emerging impact of mobile technologies is adding more complexity to the issue, at a time when many sites are already stretched thin. Mobile devices are cleaily changing online anu offline buying patteins and behavior as well as the interplay between the two. The impact and reach that mobile will have, though, is still unfolding. An e-commerce sites foundational elements can get lost or shortchanged in the rush to build capabilities to capture buyers using mobile devices, or to add the latest in business analytics for a better understanding of buying behavior. While the other initiatives clearly are important, they will ultimately fail if the e-commerce site lacks a solid and secure base built with a secure and reliable architecture. To move into the top tier of online stores, e-commerce sites need to focus on improving the foundations of security, performance and reliability. The right builuing blocks will cieate an efficient anu stiong platfoim with the necessaiy flexibility to keep up with customer demands and evolving business needs. 2011 Bleum 4 Overall, a companys defense needs to be two-piongeu. The fiist aiea is to piotect the site against malicious cyber attacks intent on disrupting the site oi siphoning off confiuential infoimation like credit card numbers. The second area is to protect piivate anu confiuential infoimation in case of a breach, employee tampering or other malicious forays insiue the fiiewall. Companies, then, neeu to auopt certain measures to keep hackers out and take other steps to protect a sites sensitive data should hackers oi otheis get insiue the fiiewall anu othei secuiity barriers. For both types of security threats, companies must establish a disciplined, consistent program for integrating security at all levels and keeping it For example, a May 2011 cyber attack against Honda Canada resulted in the theft of 283,000 car-owners personal information from the e-commerce sites myHonda and myAcura. According to Michael Lewis of thespec.com, Honda thought the records contained in the database were destroyed by an outside vendor in charge of the project. When interviewed, Hondas Chief Compliance 0fficei iesponueu that apparently, they were not. This is just one example of how pieces slipping through the proverbial cracks can have disastrous implications. The reasons for the failure to adopt and follow impoitant best piactices aie vaiieu. Some sites use code from the early days of e-commerce, a time when attacks were less sophisticated and sites less complex. Often, programmers are used to building systems for internal use and are not skilled at writing code with security vulnerabilities in mind. They are also lax in searching for security issues during software testing. Too often, security features are added after the fact rather than being built into the software and hardware of an e-commerce site. Companies face the added complication of maintaining security when they integrate with partners, such as payment or e-mail marketing providers. Piopei netwoik aichitectuie with fiiewall protection; Constant and timely virus protection; Couing guiuelines to pievent SQL injection anu visible IRL data; veiiSign piotection anu tempoiaiy cieuit caiu numbers through using PayPal; Protection against simulated transactions that cause spikes in usage; 0tilization of 0pen Web Application Secuiity Pioject (0WASP) open-souice uocuments; PCI compliance as another layer of protection within a broader security protocol, not a singular method of defense. updated as code and hardware changes. World-class e-commerce companies begin with application development and maintenance. They create formal processes, rather than relying on individual programmers or testers, to embed security when writing and testing applications. In addition, they conduct regular security testing, at least once a quarter, to try to break the code or infrastructure. Noie specifically, authentication is the fiist line of defense in protecting the sites infrastructure and network against outside attacks, while encryption is vital for protecting sensitive data within the site. Like authentication and encryption, most security best practices are well known and proven. Yet too many companies pick and choose rather than incorporate all of them. To lower risk and safeguard their sites, companies need to take a comprehensive and evolutionary approach to security that involves these multiple layers of protection. Additional security practices should include: Building block: Reliability and Scalability 5 E-commerce and retail Theres no question that customer expectations about reliability are exceedingly high. They want sites to be up, running and fast. The goal for uptime really needs to be thiee 9s (99.9 %) foui 9s (99.99%) oi five 9s (99.999%). Yet, as features proliferate and site volume swings wildly based on time of day, day of the week and the time of the year, e-commerce sites face a complex challenge in being able to scale and achieve an appropriate level of reliability while also keeping costs effective. Few companies can afford to simply throw money at this issue. Installing dozens upon dozens of servers to handle the rare surge in volume, for example, may ensure uptime but at quite a prohibitive cost. While uptime is a major gauge of reliability, it is not the only one. In fact, e-commerce sites must address the root cause of reliability issues, which come in two types: 1) technical, causeu by a malfunction oi bug in coue oi infiastiuctuie; oi 2) opeiational, incluuing when the system falters or crashes because a site exceeds its capacity. To cieate a cost-efficient anu effective appioach foi addressing both types of reliability issues, companies need to combine superior software development with capacity planning and infrastructure management, incluuing configuiation management. Reliability begins with the robustness of the site software itself. Best practices in application design and development, such as adhering to CMMi Level 5 standards, can maximize performance by minimizing defects and inefficient coue that cause site malfunctions, slow response time and require more processing power. This is, howevei, only a goou fiist step. Beyond solid design and development, companies need to develop an expertise in capacity planning and management. With capacity planning, a company routinely monitors and balances its network and infrastructure to anticipate load changes, especially as it alters its system and accommodates changes in usage. New tools allow mathematical models to be built to simulate the applications and infrastructure so that volume can be tested and likely bottlenecks found even before completing the software or deploying the infrastructure. Determining the right balance for a companys infrastructure load is a complicated undertaking. Fiistly, the uemanu fluctuations thiough the web aie more unpredictable than from internal systems used by a finite numbei of employees. Auuitionally, third-party integrated components and systems add complexity and uncertainty. Since an e-commeice system is only as stiong as its weakest links, a capacity management program targets those possible single points of failure. It iuentifies possible pioblem spots anu auuiesses them through such steps as: Once the solutions are in place, leading e-commerce companies can then routinely do stress testing, especially after making changes to the sites hardware or software. Building in redundancy such as clustering seiveis oi auuing a seconu fiiewall oi network; Tuning applications, databases and networks; Using tools to test load to prepare for new applications and hardware; Segiegating functionality so most of the site remains operational even if a capability or part of the site goes down. Building block: Performance The ultimate goal of any e-commerce site is to move the consumer to a sale, with the minimum number of clicks to conversion. For the customer, its all about making the site intuitive to use and relevant. If a site puts too many obstacles in the way to a sale too many pages, iegistiations, haiu-to-finu shopping caits or inaccurate search results the customer is just one click away from switching to a competitors site. Poor or even mediocre performance costs more, in more ways than one. Not only does it drive away frustrated customers due to longer wait times, but it also requires more support hardware, more processing power and related hard-dollar outlays. uoou peifoimance uepenus on smait, efficient uesign and development, coupled with processes to ensure the site is monitored and adjusted to maintain operational excellence. For applications, CMMI Level 5 development processes help ensure everything from the business requirements to the quality are exactly what a company neeus, the fiist time. This best-practice software development approach also enables on-time delivery and provides a proven path to better performance when upgrading existing subpar software. CMMI is, however, not a magic pill. It should be one part of a comprehensive plan to create a high-performing site, along with several other components. The fiist is a seivice-oiienteu aichitectuie (S0A), which offers an opportunity for major performance improvement, whether in unifying an e-commerce site that has been built over time using different software oi foi staiting a new site fiom sciatch. S0A integiates disparate system components and applications while providing a modular design that enables functionality to be compartmentalized and easy to identify. It is geneially easiei to maintain, as well. Bone iight, S0A: 2011 Bleum 6 Configuiation management helps ensuie the redundant systems are ready and able to step in if theie is a pioblem. An active configuiation management program helps build consistency between the primary systems and the backups by keeping a database of how every server and system is configuieu, then upuating the backup systems to parallel changes in the main system. In addition, configuiation management builus in iegulai tests of the backup servers and systems to keep them ready to take over as seamlessly as possible when a main system goes uown. Configuiation management also helps to ensure the test system matches production, critical for proper testing. 7 E-commerce and retail the consumer typically does (with an aim to making stanuaiu paths veiy fast) anu wheie anu (peihaps) why abandons typically occur. This insight is used in building better online applications and functionality. As discussed in relation to reliability, load monitoring and balance testing is also critical for peak performance. Load monitoring is essential to anticipate majoi shifts in tiaffic, which coulu slow oi stop performance. Like UX, performance and stress testing is key to maintaining operational excellence, especially foi high-volume sites. Stiess testing involves placing dummy transactions or simulating user activities on a mini-production environment created to mimic the software and hardware settings of the live site. Stiess testing tools can help keep the simulated and live environments in sync and minimize the hardware and software necessary to replicate the actual site. Stiess testing shoulu be caiiieu out whenevei an organization introduces a software or hardware change of any significance. For example, Black Friday and Cyber Monday in the 0niteu States typically see a laige inciease in ietail sales. In 2010, Ebay and PayPal both saw extreme increases in their mobile site usage, with Ebay doubling its mobile sales and PayPal seeing a 310% increase from 2009, according to Techcrunch. Sites must prepare for these inundations prior to occurrence, or else risk slow performance or crashing. Noving to an S0A-baseu aichitectuie is a significant effort and is often completed in stages. As a starting point, companies should determine their weakest applications, capabilities or parts. They can pinpoint these weak spots by looking at the sites problem history, where the company is spending too much time and money, where there is weak documentation and by the age of technologies. Once these areas are iuentifieu, they can be fuithei assesseu thiough the use of such techniques as cyclomatic complexity, which encourages continuous program improvement, anu best-piactice coue analysis oi coue piofiling to understand program behavior under various stress scenarios. Banu-in-hanu with efficiency is uesigning foi usei friendliness. To that end, companies need to dedicate a gioup to focus on usei expeiience (0X.) This gioup monitors online customer behavior and analyzes such issues as how long the consumer must wait, what Enhances the IT organizations ability to analyze and respond to performance issues; Enables module reuse creating software capabilities, such as a payment module, that can be reused in other applications (e.g., on the company website anu in call centeis foi ieps) helping to uiive efficiency, ieliability, anu ieuuceu costs; Minimizes database searches and response times because it stages likely data to be used; Offers potential to perform asynchronous data lookups or other processing in parallel to prime navigation paths to speed likely further steps. Focus on the Key Building Blocks While a strong e-commerce platform is of clear strategic importance, CIOs and their e-commerce teams often struggle to balance a deluge of IT demands and crises against a backdrop of budget and time constraints. Understanding and focusing on the key pivot points for achieving top-notch security, reliability and performance, though, can spell the difference between online success and mediocrity. For security, a holistic approach to best practices, backed by processes that enforce consistency, is critical. Reliability depends on software quality combined with expertise in infrastructure and capacity planning anu management. Softwaie uesign anu uevelopment that ueliveis efficiency anu ease of use, along with regular performance and stress testing, can help ensure operational excellence. Companies that invest in the people, partners, processes and capabilities for achieving excellence in those areas will go a long way to ensuring they create an e-commerce platform that will help deliver exceptional online results. 2011 Bleum 8 Building and keeping an e-commerce site at peak performance requires a wide and deep IT skill set, from application and middleware design and development and UX to infrastructure and network capacity planning and management. Moreover, it requires building and implementing processes to ensure security, reliability and operational excellence are consistent priorities. Given all of the demands on IT departments, it is no wonder that few companies have the necessary experience, capabilities and discipline to excel at all of these aieas. So, many companies team up with outsouicing expeits with stiong e-commerce capabilities and experience, like Bleum. Bleum offers a rare combination of expertise and client success in all key e-commerce areas. Partnering for E-commerce Strength 9 E-commerce and retail Experience. Bleums executive team, as well as its programmers and testers, bring a proven track record of building and optimizing e-commerce sites, including expedia.com and one of the worlds largest online stores. For a top 5 global retailer, Bleum serves as half of the development team for the online stoie anu iuns the netwoik opeiations centei (N0C). The ietailei has expanded Bleums responsibilities to include building a new Chinese e-commerce site. Results. Since biinging on Bleum, one majoi ietailei's e-commeice site has handled the highest shopping volume in its history without a single outage. Bleum produces hundreds of new features every month, helping drive an online sales growth of 22% in 2010. Capability. Bleum provides a full range of e-commerce technology services from infrastructure assessment, platform recommendation, site design and implementation anu mobile stiategy uefinition anu implementation. Bleum also provides end-to-end NOC solutions for mission-critical operations, from NOC strategy consulting and process setup through full ownership of NOCs. 2011 Bleum 10 ATG Expertise. Bleum has the biggest ATG resource pool in China and can build an e-commerce infrastructure from scratch, including store site, backend oiueiing anu fulfillment, supply chain, customei seivice, business intelligence and integration with existing retail IT systems. Bleums ATG team includes piofessionals fluent in English, Chinese anu }apanese. Talent. Hiring some of the best and brightest Chinese engineers, Bleum builds dedicated teams for its clients and makes acquiring domain knowledge a priority for the team, reducing the learning curve and proving client value faster. All Bleum employees speak English and the company further develops theii fluency thiough extensive language tiaining as well as couises in Western culture and technical skills. Quality. An industry leader in software development, reappraised in 2010 as CMMi Level 5 companywide, Bleum delivers more than one-third of all projects at production with zero major or moderate defects. Overall, we average 1 defect per 10,000 lines of code versus the market average of 7 defects per 1,000 lines of code. Discipline. Using proprietary project management and quality systems, Bleum applies highly mature and effective processes to everything from design, development and testing of the NOC. The systems also allow clients to track progress in real-time based on key metrics from productivity per engineer per hour to schedule variance. Security. Ceitifieu ISu 27uu1, Bleum auheies to the highest secuiity piactices foi uata piotection. Bleum also piomotes the 0pen Web Application Secuiity Pioject (0WASP), a non-piofit oiganization focuseu on impioving secuiity foi applications through the creation of freely-available articles, methodologies, tools and technologies. Bleums security processes limit employee access, require legal agreements with employees and build in multiple layers of physical security. Bleum also regularly conducts security tests, holding bi-monthly examinations for all staff members. WO R L DWI D E HE A B Q 0 A R T E R S Cloud-9 Mansion 8F 1118 West Yanan Road Shanghai, 2uuuS2 +86 (21) 6282 1122 sales@bleum.com www. b l e u m. c o m Copyright 2011 All rights reserved.