Stevie Awards honor American companies and business people from organizations in a variety of industries. The other four nominees have useful, innovate, and very smart products and services that can significantly improve your e-life, so please check them out.

• Data Robotics, Inc’s DroboElite Self-managing iSCSI SAN
• DocuSign’s Mobile Extension enabling users to securely e-sign documents from more than two dozen mobile devices
• Novell’s SUSE Studio for flexible and friendly Linux customization
• Zebra Technologies ZXP Series 8 retransfer printer which produces photo-like images FAST

As you can see, we’ll need your help to out class this year’s very qualified competition. Please help us win by clicking the icon below.

We appreciate your endorsement. The winner will be announced in June.

The full list of finalists from all New Products and Product Management Categories for 2010 is listed on the Stevie Awards website.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that help govern the way credit card information should be handled and protected. Its nomenclature can oftentimes be a bit confusing. So in a short series articles (starting with this one), we’ll break down the most important elements of the PCI DSS as it relates to data encryption.

PCI DSS Requirement 4

Requirement 4.1 of PCI DSS addresses the encryption protocols and instructs any entity that accepts, handles, transmits, or stores credit card data to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”
 
Let’s start with understanding what information is encrypted per Requirement 4. PCI DSS requires that all cardholder data (specifically the cardholder’s name, the card number, expiration date, and billing address) be encrypted when stored or transmitted.

Here are some common questions and answers about Requirement 4 to help developers navigate through it.

1. What encryption ciphers should be used for various classifications of data?

Different scenarios require different encryption methods and algorithm implementations. The types of data exchanged at various endpoints in your solution will determine the best method(s) for encrypting and storing/transmitting data. For most instances, symmetric key encryption is best suited for storing data. And 256-bit AES encryption is recommended for transmitting it. 
 
Symmetric key encryption is not always possible, and in these instances you must rely on the public key infrastructure (PKI) to establish SSL/TLS encryption between the customer-facing endpoints (such as a web server or application) and the customers’ systems. Most certification authorities accept key lengths up to 2,048 bits, which provides encryption up to 256-bit. However, this is not a guarantee that all traffic will be encrypted at that level. I highly recommended that you disable weaker SSL ciphers such as SSL1 and SSL2, and only allow SSL3 and TLS to operate with clients that support 256-bit encryption.

2. Will our encryption standard compromise the user’s experience or inhibit adoption of secure practices?

An example of this would be a system that is too slow to load, so users can write down confidential info, take it over the phone, or take shortcuts. Encryption oftentimes adds considerable overhead to a system that would otherwise operate smoothly. There are many hardware appliances available to accelerate the processing of encrypted data. Depending on different load scenarios, it may be necessary to consider additional hardware to maintain application scalability.
 
 
In addition to the impact on infrastructure, customers with older systems may not have the software necessary to support 256-bit encryption. These are extremely sensitive issues because this directly impacts the number of users who are able to conduct a transaction at an endpoint (whether it’s a hardware kiosk, such as an ATM machine or vending machine that accepts card data, or online via a website or application).

3. Will the hosting provider support the encryption requirements?

If “yes,” are there cost implications, and could it be found cheaper somewhere else?
 
 
Hosting resources are always important because, for all intents and purposes, most hosting environments meet the PCI DSS classification of a public environment. Even with dedicated server, data transactions commonly occur over common network equipment, which could constitute a breach of both the data and the keys themselves.
 
 
 
When working with your hosting provider it is extremely important to map out the various data sources and their destinations and ensure that traffic only traverses hardware dedicated to your company. In what is widely considered a deprecated architecture, most secure dedicated solutions include dedicated servers, switches, firewalls and physically isolated network design. This is oftentimes very expensive and not a requirement that hosting providers are willing to accommodate.
 
 
Virtualized environments are often best suited as they allow on-demand scalability, while also providing network isolation through the use of technologies such as VMWare’s vShield virtual switching. Breakthroughs in homomorphic encryption are also expanding possibilities in both virtualized and cloud-type systems, but these innovations are several years from being applicably useful.

4. How long should data be stored, and how to track the age of encrypted data?

Data can be stored for as long as it is required. It is a best practice to dispose of data when it is no longer useful. However, keeping data for extended periods of time often means that the data must be altered when the keys used to encrypt the data are retired and replaced. This often happens on a schedule resultant of a key policy, but can also result from the exposure of a compromised key.
 
 
These types of transformations must occur across all data, including data that has already been archived. This process is often cumbersome, and obviously becomes more so proportionate to the amount of data being stored.

Other Considerations

It is often not the responsibility of the developer to maintain an encryption key infrastructure. However, the developer must uphold the standards the IT department has established for developing strong keys and pairs, the secure storage of those keys, and the protected distribution of keys in transit to other endpoints.
 
 
In addition to making more resources available to the application, it is also a requirement that all encrypted sessions are automatically disposed after a specific period of inactivity. The ability to establish or re-establish a secure connection should also be tightly controlled.

Conclusions

The ultimate goal of PCI DSS Requirement 4 is simple: fraud prevention. Studies and real-life results prove end-to-end encryption (E2EE) to be one of the best ways to achieve this. The E2EE process starts with proper infrastructure and planning, and continues with developers who are responsible for implementing the actual encryption policies. Those developers also make sure it meets the highest protocols and security standards set forth in PCI DSS. 
 
 
Coding on top of (or around) encryption requirements is an art that often involves compromises or adjustments to business logic code. So it is critically important to establish up front business logic, encryption and data management standards when developing web applications that will handle credit card data.
 
Achieving compliance with Requirement 4 doesn’t have to be cumbersome or overwhelming. But it does have to happen. Understanding how to make this process simpler by breaking apart the various pieces can help developers reach PCI DSS security standards with less questioning and more clarity, which will help produce a secure environment.

A version of this article was published in eCommerce Developer on May 19, 2010.

Our virtualized servers provide secure, scalable hosting solutions to small and medium sized businesses around the globe. Thru the use of new, green hosting technologies, we’re helping reduce e-waste: energy consumption, CO2 emissions, hardware waste, and more.

Click Here to learn more about how FireHost leverages virtualization to save a few IT dollars while helping save the planet.

Cloud computing and cloud hosting practices have been around for some time, probably longer than you think. Long enough, in fact, to gain significant awareness and pique the interest of anyone starting, or growing a business. “I must have everything ‘in the cloud’” these entrepreneurs say!  While the definition and clear-cut use case for cloud hosting remains elusive, the promise of cost savings, “fair” usage based billing, and unlimited scalability has startups love struck.

Before you stroll thru the proverbial tunnel, do the modern dating ritual – a background check. Many companies (large and small) have come before you, and startups that are entertaining a cloud hosting solution today have many resources and case studies to help answer the question, “Is cloud hosting the right solution for my business?”

The realities both positive and negative are coming to light, and we’ve pulled together a list of evaluation criteria (pros and cons if you will) to help you:

Pros

Businesses that have flipped head over heals for cloud hosting enjoy it because it offers the following:

Simplicity
Entrepreneurs have enough on their plates as it is. Solutions that can simplify any part of their business operations are a welcome addition. Hosting in the cloud can streamline and simplify actions such as “pass thru” billing to end-users. In some cases, cloud hosting providers can even bill your customers directly.

Cost Effectiveness
Cloud hosting has a low cost of entry. There are no capital expenses to bear and it doesn’t require “IT-like” personnel to join you staff. Again, for a startup that isn’t depending on their site as a main business conduit this is a very inexpensive way to get going.

Moves as quickly as your business
Cloud hosting is extremely fast to implement in most cases and claims to be infinitely scalable. It also supports multi-platform development environments.

Doesn’t have what you don’t need
If you’re a start-up with no critical data on your Web site or applications, the security level of cloud hosting may be plenty.

Cons

If you’re planning to run most of your business through your site, expect (or already experience) a large amount of traffic, and house critical data there (such as E-commerce) then cloud hosting may be an unsafe bet. Here’s why:

Performance
In a cloud environment, all sites are competing for the hardware resources. If multiple Web sites spike coincidentally, it can result in everyone slowing down. Additionally, with cloud you never really know how much performance is available to you. The claim is that you get unlimited scalability, however many of the clouds’ early adopters are finding that is not the case as their Web site resource requirements grow and over-exceed this elusive capacity.

Security
Cloud hosting is simply not the most secure environment. It just isn’t there yet. If you’re looking to achieve and maintain data privacy requirements for PCI compliance, HIPAA compliance, SOX, E-commerce, and so on, then cloud hosting is not the solution for you.

Redundancy
One of the misconceptions of cloud hosting is that it’s hosted “in the sky and not in a datacenter,” which is not true. Cloud hosting resides in a single datacenter. Recently a large hosting provider’s datacenter went down leaving a lot of cloud hosted Web sites in the dark. The site owners had a huge reality check and quickly learned of the single-points of failure within a cloud environment.

Cost
The cloud gives businesses a hands-free method to scale their hosting, however some problems can arise that are financially surprising. For starters, automatic scaling can make people extremely lazy. If you’re not paying attention to your usage, you just might get a huge surprise on your next bill. One thing that’s a rising concern is hackers running up their victims’ hosting bills. One method that’s being used is a simple low-level DDoS attack (Distributed Denial of Service), which won’t take your site down but will keep your server very busy. Since you pay for usage with cloud hosting, your costs can spin wildly out of control. So if you’re using cloud hosting, make sure to pay daily attention to your usage.

While cloud hosting may provide some distinct benefits and cost advantages for start-ups or non-critical Web sites, it isn’t well suited for mission-critical Web sites and SaaS applications. In particular, you cannot achieve compliance mandates of HIPAA, PCI, SOX, etc. when storing data in and serving applications from “the cloud.”

So if you’ve been drawn in by the low cost of entry and fast implementation of the cloud, heed the warning that every rose has it’s thorn… even soft, fluffy, cloud hosting ones.

• Cloud computing is on-demand access to virtualized IT resources that are housed outside of your own data center, shared by others, simple to use, paid for via subscription and accessed over the Web.

• Cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the “cloud.”

Despite any confusion about the role cloud computing should play within IT organizations and how the solution will be carried out, it continues to gain momentum. In fact, 99% of the respondents to F5′s survey are actively discussing or implementing a cloud solution within their organization and more than half (66%) of the participants have budgets set aside for cloud solutions.

IT Managers have high expectations for what can be “offloaded” to cloud environments . 75% of the survey respondents believe PaaS (Platform-as-a-Service) is part of the cloud. 66% said Iaas (Infrastructure-as-a-Service) should be included. Interestingly, the more “popular” buzzword SaaS (Software-as-a-Service) registered as a cloud component with only 60% of the participants.

The core, organization-wide drivers behind the need for a public cloud are slightly different from the requirements reported by private cloud users.

• Public Cloud – #1 efficiency, #2 reducing capital costs, #3 easing staffing issues
• Private Cloud – #1 reducing capital costs, #2 agility, #3 easing staffing issues

Not surprisingly however, most IT Managers want to examine the critical technology behind the cloud infrastructure. The main concerns they want addressed before adopting could computing solutions are Access Control, Network Security, and Server and Storage Virtualization.

WordPress users can get the latest version (which was released about a week ago) three ways:

1. Download it here to manually upgrade.
2. Initiate the upgrade automatically by clicking the Upgrade link under the Tools menu in your blog’s admin. (v 2.7 or later)
3. Host your website with FireHost, and let us take care of the upgrade for you.

We’re glad to see WordPress take action to help prevent hackers from compromising websites built on the their great platform. Kudos to the WordPress team for helping keep everyone safe.

Extensibility through plugins is an important feature in WordPress. This tool allows users to build upon the original application and customize it according to their own needs, similar to add-ons in the popular Firefox web browser. Currently, there are thousands of WordPress plugins, but there’s one in particular enabling your blog to easily serve millions of visitors at once: The WordPress Super Cache.

The Super Cache plugin automatically generates static HTML pages directly from your dynamic WordPress blog, transforming resource-heavy WordPress PHP scripts into much lighter HTML pages. This allows your website’s blog to operate faster and serve more visitors.

There isn’t a visible difference for your visitors, but this plugin is very important when your traffic spikes upwards of millions of visitors per hour. As long as you have a professional web hosting plan, The WordPress Super Cache will enable you to easily serve millions of visitors from sources like Digg, Facebook, or Twitter.

Because WordPress is an open source platform however, it is highly susceptible to exploitative attacks. This is where FireHost steps in, providing an industry-leading secure hosting environment, safeguarding your website and protecting your data. Without this protection in place, your website will be prepped to weather an onslaught of visitors by using Super Cache, but could be easily compromised and taken offline by a single hacker.

With professional hosting solutions from FireHost, your company can embrace success, rather than worry about it. To realize your company’s full potential with FireHost and WordPress, contact a FireHost professional today.

While a matter of personal preference for many, Google is at the core of our internet-driven culture. Need a recipe? Google it. Need directions? Google it. Need an email account? Google it. Need a picture? Google it. 

The examples of Google’s ability to facilitate your web browsing needs are virtually limitless. You can find nearly anything you need using Google, which is why it’s become the leading search engine on the internet.

 In fact, there’s a good chance most of your visitors discover your website through Google.

Realizing the business value of accurate, relevant search results, Google has developed a cutting-edge hardware, the Google Search Appliance. The Google Search Appliance gives businesses the opportunity to add a powerful search feature to their website, using Google’s own search engine technology.

Your visitors are empowered to find what they need on your website, complete with the familiar layout of a Google search results page which can be customized for your website look and feel as well as content. You even have the option to schedule daily web-crawling and updating of your site’s content with Google directly. When you provide your visitors with Google-powered, relevant search results, they will be more likely to find what they’re looking for, purchase your goods or services, and return to your website later.

FireHost brings the power of Google Search to your website as part of our robust line up of secure web hosting product and services. We can integrate the Google Search Appliance into your website now. If you’re ready to Google-power your website, contact a FireHost professional today.

NBCF accomplishes their mission through initiatives such as the National Mammography Program, their educational video Beyond the Shock, and the MyNBCF online community. Providing NBCF with industry-leading secure managed hosting, FireHost epowers breast cancer survivors and supporters to share their stories and offer encouragement to women and families of patients and survivors via online forums, news groups, video galleries, and blogs.

“With Telligent Community Server, I know what’s going on in the MyNBCF community as it happens, and that’s a beautiful thing.”

- Kevin Williams, NBCF

The MyNBCF online community accomplishes this great work using Community Server by Telligent, an enterprise-level social network platform hosted by thousands of companies, including Dell, Intel, Electronic Arts, and Microsoft.

Since implementing Community Server hosting thru FireHost, NBCF has experienced a significant increase in MyNBCF registrations as well as a notable increase in online donations.

Community Server hosting helps propel these results by offering:

• Organic Traffic Growth
  Social networking provides exponential traffic growth as users become active participants in the community, invite their friends, and those friends invite new friends.

• Ease of Use
  Similar to using Microsoft Word, publishing content with Community Server is simple. All you need to do is type.

• Immediate ROI
  Increased customer satisfaction, a network of community experts, and reduced support costs are just a few of the high-impact financial benefits of Community Server hosting.

FireHost can make Telligent Community Server hosting part of your online community. Contact us today to put Community Server to work on your website.