Tech, E-commerce

A CTO’s guide to securely scaling ecommerce platforms

This is part of an ongoing series of posts in which we’ll dive into the complexities and challenges facing modern SaaS platforms. We’ll also look at how we can leverage modern cloud architecture to keep our software safe, secure, and accessible. 

In this blog post, Benny Olsson, CTO at Norce, will take a brief look at how Norce Commerce harnesses Azure to enable dynamic horizontal scaling, and how we use this capability to counteract DDoS attacks.

At the heart of our dynamic horizontal scaling capability is a fully serverless platform built on an API-first service-oriented architecture and Azure Kubernetes Services. Inter-service communication is managed through stateless APIs, and the application layer is partitioned by domain areas.

This approach perfectly leverages the capabilities of Azure Kubernetes Services and horizontal pod autoscaling. Most importantly, it allows us to independently scale individual segments of Norce Commerce whilst avoiding time-intensive manual operations.

Horizontal scaling can be done both automatically on-demand as a response to a sudden increase in API requests, and proactively when we know that there’s an event that will drive a lot of API requests such as Black Friday.

This flexibility is available in all our offerings, including our enterprise offering where we help our customers achieve finely tuned and cost-efficient scaling through single-tenant SaaS.

There are many benefits to this approach – reduced complexity, cost efficiency, and reduced carbon footprint to name a few. However, the focus of this blog post is on the ability to better withstand DDoS attacks; specifically, application layer attacks.

Most application layer attacks that we’ve seen targeting our SaaS platform increase the total traffic volume by 200-300%. Not 200-300% for a specific customer, but rather 200-300% across the entire platform. The ramp-up time is usually less than 60 seconds. This means that at any one point, with less than 60 seconds to spare, we need to be able to handle three times the normal amount of API requests, preferably without losing any real requests.

In the case of Norce Commerce, most application layer attacks weigh heavy on the application layer but rarely affect the database. By being able to quickly scale the application layer horizontally we’re far better equipped to withstand the increased workload that an attack brings compared to running workloads on virtual machines.

We’re proud to be able to say that although there’s usually a short spike in API response time during the initial phase of an attack while the system is scaling out and readjusting to the sudden increase in API requests, we do tend to be able to handle most, if not all, real requests during the full span of an attack.

At Norce we have an uncompromising focus on security. This focus permeates the entire software lifecycle. From how we design, implement, and test our code, to how we host Norce Commerce and keep customer data safe; It applies every step of the way.

In today’s cyber threat landscape, seamless integration between security and scalability is a must-have for any modern SaaS platform for digital commerce. Norce is always striving to be one step ahead of our competitors in this area.

Going fully serverless and partnering with Microsoft in bringing Norce Commerce to life in Azure not only moves us a step but carries us a giant leap ahead of the rest of the crowd.


Read related posts