As we all see what happened at Ellie Mae, we begin to wonder: What do software companies need to do to secure sensitive data?
The mystery surrounding what exactly happened at Ellie Mae to cause its system to go down continues to unravel. What EllieMae initially labeled “a distributed denial of service (DDoS) attack” is now being called an outage that was “triggered by a confluence of factors involving network, hardware, software and demand for service.” Regardless of what happened, lenders deserve better.
“Ellie Mae is a strong competitor,” said Keven Smith, President and CEO at Mortgage Builder.“We compete with them in almost every deal. We feel badly for the impacted lenders, but we also want to reach out to talk about our strategy. These attacks are nothing new. We’ve had attacks in the past and we’ve prevented them from disrupting our clients’ business.”
In the wake of this disaster, Mortgage Builder decided to be proactive and inform their clients about what would happen if Mortgage Builder found itself in Ellie Mae’s shoes. Can MortgageBuilder fend off what Ellie Mae called a distributed denial of service (DDoS) attack? I obtained that letter. Here’s some of what Mortgage Builder said to explain to its clients what Mortgage Builder is doing to ensure their system doesn’t experience the same outage as Ellie Mae’s Encompass did:
“Based on this event we have had a handful of clients this week reach out to ask “can this happen to us” as a Mortgage Builder client. Although it does not entirely mitigate all the risks associated with doing Internet business, we already have in place system functionality and IT infrastructure that should put our customers at ease. We have two types of deployed LOS systems at MortgageBuilder:
>> Client Hosted – these are clients that host MB at their office locations or at a Co-Location facility of their choice. For these clients the software and data would not be affected by a DDoS attack on our MB hosting facility. One important differentiator between MB and most other LOS’s is that document preparation is embedded into the MB system and all interfaces are built directly to the vendor or provider of service and do not route through any middleware product hosted by MB. So in short, an MB DDoS occurrence would not affect a self-hosted MB customer in any way.
>> Mortgage Builder Hosted – These clients are hosted in one of our MB Co-Location facilities. The Mortgage Builder environment provides multiple redundancies to provide constant uptime in the case of a DDoS attack. There are 5 Internet connections from multiple providers and an engineered routing policy to analyze, react, and mitigate Internet traffic in the event of a DDoS attack. When our Co-Location detects an abnormal spike or malicious network traffic directed at the target host (MB server), the mitigation routing policy is deployed and automatically routes the target’s IP address upstream to prevent saturation of the MB connection. The network returns to normal when the network event is over and the malicious packet stream has subsided. This DDoS defense is protecting our entire network (all products). With its protection your network will remain up, even during a dangerous network event.”
Let’s face it, lenders have been so focused on lowering volume and increased regulation, lenders don’t want to worry about technology. Lenders want to be on browser-based solutions in the cloud or fully Web-based systems and they don’t want to worry about it. That’s fine, but there are things that lenders have to look for in an LOS to make sure that their business is secure.
“We have clients paying per closed loan in a SaaS environment that opt to host the data themselves,” explained Smith. “We can also host the data on our servers as well. Our strategy is such that if our servers are down, the customer is still protected. Also, all of our interfaces go direct to the vendor, not through a platform like the Ellie Mae Network or another third party.”
Mortgage Builder touts that it can also transition clients from one model to another over just a weekend.“We can transition clients to a hosted model or they can transition back to a client-server environment if they feel more secure with that strategy given what happened with Ellie Mae. We can also offer disaster recovery solutions to those lenders that want to self host, but still want that security.”
And it’s not just LOS vendors that need to be prepared to transact in an Internet-based world. As the industry moves to a Web-based, Software as a Service model, these situations will persist. In a Web-based environment the vendor has to work overtime to protect sensitive information and fend off all kinds of issues that may cause the system to go down. The strongest vendors have mastered this skill. In fact, DocMagic, Inc. has said that its customers are expressing concern with the reliability of their mission critical technology systems and are asking for more information about system uptime from their vendors. Here’s what DocMagic tells its clients:
DocMagic has maintained these stats for its own company for many years and publishes its status, including uptime, processing time and bandwidth, in real time, on its website at: https://www.docmagic.com/webservices/status/main.jsp.
“We’ve always shared our uptime record with our customers because it’s just so important,” said Dominic Iannitti, CEO of DocMagic. “With uptime typically between 99.99 and 99.999%, our clients never have to worry about having access to the documents and compliance tools they need to close their loans. This type of uptime is not only possible, it’s critical to the fundamentals of mortgage lending. Companies that take customer service seriously do a good job of achieving the 99.99%+ uptime metric”
Iannitti pointed out that guaranteeing reliability involves investment in infrastructure, superior staff training, constant monitoring and an unwavering commitment to the task. He adds than any lender who has suffered through a service interruption knows exactly how important it is.
At DocMagic, uptime means that all company services are functional and available to its customers. It’s not just a measure of when the servers are turned on. To test this, DocMagic developed a proprietary system that sends complete transaction requests of all types through the system continuously, 24 hours a day, 7 days a week. As these requests flow through the system, company technicians monitor over 1,000data points that impact service delivery and quality. Any potential problems are identified and addressed before they can escalate and pose a risk to the entire system.
Measuring uptime with any method that does not include the actual delivery of the company’s service results in a meaningless metric that will not contribute to high service availability standards. Customers should require service providers to provide uptime information.
“Reliability is one of the most important qualities in a service provider,” Iannitti said. “DocMagic is fully transparent when it comes to service delivery uptime. Achieving the high level of uptime that we do is a major accomplishment, of which our entire organization is very proud. It means we are absolutely the best at what we do and we prove it to our clients every day.”
In the end every vendor is vulnerable to DDoS attacks and other issues, but the better vendors do everything possible to make sure their clients are not impacted.