Vegas.com doesn't like gambling. At least, when it involves the private information of its customers. The question is: How can you keep all your data in encrypted form without rewriting every legacy application you use?
Vegas.com is probably best known as the premier travel site in Las Vegas. From casinos to chapels, from Hoover Dam to Wayne Newton, if it's in or around Las Vegas, you can find it on Vegas.com. While the site draws close to a million visitors a month, it's only part of the Greenspun Media Group, which also includes newspapers, magazines, cable channels and other areas of business.
The company's Henderson, Nevada, campus houses its own data center, which hosts all the Web servers, database servers and application servers that the site uses. The Vegas.com IT group supports the infrastructure of the entire company.
One problem that Vegas.com faced was serving its pages up rapidly enough, given all the purchase and reservation transactions that customers were performing at the site. "Load balancing among servers is tricky enough," said Brian Hayashi, director of engineering for Vegas.com. "Add security considerations like SSL and it's even worse." Most load balancers are clueless in encrypted environments because they don't comprehend encrypted traffic. Luckily, Vegas.com found a solution with Ingrian Networks Inc. in Redwood City, Calif., which offers a Load Balancing Service Engine oriented specifically toward encrypted operations such as SSL.
Vegas.com's other major concern was handling private customer information. Thousands of customers trust the site with their personal information such as credit card numbers -- not the kind of data you want falling into the wrong hands.
"Ideally, we wanted to keep all our data encrypted, even when backed up," explained Hayashi. Furthermore, the company preferred not to keep the decryption keys on its own servers, where they could potentially be vulnerable to internal attacks, a consideration that many larger enterprises have ignored to their peril.
To make the problem more difficult, they didn't want to rewrite their existing applications to perform the encryption-decryption process in software. "We could do that, but it would mean an extensive development process," Hayashi said. That would take a long time, leaving data unencrypted in the meantime. They looked around for another solution and found one -- with Ingrian.
Ingrian offers its DataSecure Platforms, including a hardware appliance, a network-attached encryption server, and a connector that includes load balancing and a cryptographic interface. "We were comfortable with Ingrian, based on our previous experience with them," noted Hayashi.
Using the Ingrian solution, Vegas.com can keep its data encrypted in the database. The hardware unit transparently performs any decryption that applications may require. "There's no impact on performance," reported Hayashi.
Hayashi feels comfortable about the future of this solution. Ingrian offers several higher-end platforms, to support Vegas.com's growth, as well as encryption libraries for eventually rewriting those legacy apps. With this bet, the house wins again.