Thursday, November 4, 2010

Security - Take it Seriously

With thousands of clients worldwide processing hundreds of millions of dollars in transactions on a yearly basis, the security of our customers’ data is paramount to the service that GramercyOne / SpaBooker provides. Since security is such a critical part of any software solution, we thought we would take a minute to talk about four specific areas that any business should consider before choosing a system:
  • Data Security
  • Application Security
  • Network Security
  • Physical Security
Data Security
The security of your data is perhaps the most critical component of any system. Countless times we’ve seen this be the driving reason that a customer is considering new management software. Generally, and unfortunately, an owner will have had a hard drive or computer fail with all of their valuable customer data, and after experiencing that loss, they never want to experience it again.

Since our launch in 2007, SpaBooker has never experienced a data loss or data corruption incident. We ensure that this doesn’t happen by utilizing an n-tier system architecture. What this means is that we have multiple, redundant application servers, database nodes, and networking devices. All data is backed up nightly. Our policy is that we worry about redundancy and data backup so that our customers don’t have to.

Application Security
Due to the volume of transactions that flow across our platform, GramercyOne / SpaBooker is certified as a Payment Card Industry Data Security Standard (PCI-DSS) Level 1 audited organization. To attain this accreditation SpaBooker utilizes some of the most advanced technology available today for Internet security. For instance, when a user accesses our system using industry standard Secure Socket Layer (SSL) technology, our clients’ information is protected using both server authentication and data encryption, ensuring that their data is safe, secure, and available only to registered Users.

Additionally, SpaBooker utilizes triple factor authentication, which in plain English means that each user must enter an account name, unique user name and password each time they log in. SpaBooker does not use "cookies" to store other confidential user and session information, but instead implements more advanced security methods based on dynamic data, encoded session IDs, and even accessing IP addresses.

Network Security
GramercyOne / SpaBooker utilizes a multi-layered network infrastructure including multiple firewalls, routers, and switches. All devices within our production environment are monitored in real time by intrusion detection systems (IDS), discrete logging appliances, and actual people, 24 hours a day, 365 days a year.

In addition, every device within our production environment is subjected to multiple internal and external penetration tests per month. And , to top it off, SpaBooker has third party security auditors – sometimes referred to as “white hat hackers” – perform full, on and offsite, security testing on a regular basis.

Physical Security
At GramercyOne our core competency is creating the best scheduling and business management software in the cloud, not running a data center. As such we host with Rackspace Hosting one of the best hosting providers on the planet. Rackspace is a PCI-DSS Level 1 and SAS70 certified provider that utilizes state of the art physical security precautions including:
  • Keycard protocols, biometric scanning protocols and round-the-clock interior and exterior surveillance monitor access to every one of Rackspace’s data centers.
  • Every data center employee undergoes multiple and thorough background security checks before they're hired.
  • Should a total utility power outage ever occur, all Rackspace data centers' power systems are designed to run uninterrupted, with every server receiving conditioned UPS (Uninterruptible Power Supply) that are N+1 redundant, with instantaneous failover if the primary UPS fails.
  • Every data center's HVAC (Heating Ventilation Air Conditioning) system is N+1 redundant. This ensures that a duplicate system immediately comes online should there be an HVAC system failure.

At GramercyOne we serve the service industry and we believe strongly that our partners should be able to use a system that allows them to spend more time with their customers, instead of worrying about their software. If you have any questions about this article or about our security policies and procedures, don’t hesitate to reach out to me at daniel.lizio-katzen (at)

No comments:

Post a Comment