eVitamins Case Study

eVitamins is a health and beauty online retailer that ships thousands of orders daily to 85 countries worldwide. Carrying more than 25,000 items, eVitamins supplies over 600 different manufacturers.

eVitamins has grown significantly since its founding in 1999. An online retailer of health and beauty products, the company processes thousands of online orders each day from more than 85 countries and its website is localized in 15 languages. As a global online business, it’s not surprising that the company’s website faces continual security threats and challenges. “Being in 85 countries opens us up as a target to constant threats from all over the world,” says Thomas Wick, president of eVitamins.

Specific security challenges for eVitamins included HTTP flood attacks and distributed denial of service (DDoS) attacks designed to take down its website. It also saw malicious activity in off hours and access attempts by bad IP addresses. The company needed protection against rogue robots that could flood its website with traffic, SQL-injection attacks designed to extract data, and cross-site scripting attacks (XSS) that could insert malicious code into web pages.

To achieve the highest-level security demanded an extremely labor-intensive process. The company constantly monitored log files and access attempts, manually updating algorithms to pick out bad IP addresses and requests and blocking them one at a time. “Everything was implemented manually,” says Wick. “Nothing was automated, nothing was truly scalable, and we put in a lot of late nights. It was a very cumbersome process.”

After evaluating several security solutions, eVitamins chose Amazon Web Services (AWS) and its web-application firewall, AWS WAF, because it offered the security and scalability the company needed. “Protection and scalability—those two things were critical for us because we sell goods online worldwide,” says Wick. “By using AWS WAF, we got the protection we needed, and it was easy to implement and very cost-efficient.”

eVitamins was able to convert its security processes to AWS WAF in less than one week. “We were up and running quickly and securely protected,” says Wick. To simplify the process, the company took advantage of AWS WAF preconfigured protections to block common attack patterns. One solution it uses, called “Honeypot,” lures content scrapers and bad robots and then adds their source IP addresses to the AWS WAF block list. Another solution the company takes advantage of is protection against known bad actors via “IP Blacklists,” which uses an AWS Lambda function to check third-party IP-reputation lists—such as Spamhaus—for IP ranges to block. “AWS WAF maintains the list of bad IP addresses and continually checks for them across the cloud,” says Wick. “It makes our life so much easier.”

AWS WAF also includes a built-in rule engine to help protect against SQL injection and XSS injection attempts. “AWS WAF preconfigured protections make everything easy because we can deploy security features with a few clicks,” says Wick.

To precisely target the web requests it wanted AWS WAF to allow or block, eVitamins wrote its own custom rules using the flexible rule language AWS WAF provides. “We can configure new rules or settings with a few clicks, so when we have to configure or change something, it’s very easy to do,” says Wick.

eVitamins also uses other AWS services that are integral parts of the AWS WAF Security Automations solution, including Amazon CloudFront for its website-content delivery, and Amazon CloudWatch for tracking metrics, collecting and monitoring log files, setting alarms, and viewing changes in AWS resources. AWS Lambda is also triggered by some AWS WAF components, such as Honeypot. In fact, these functions are only possible because AWS WAF can work seamlessly with other AWS services.

By implementing AWS WAF for its website security, eVitamins now has increased protection against malicious activity. It is always up to date on protecting itself against IP offenders via Spamhaus, and offenders are automatically blocked. It can automate temporary blacklisting and force robots to play by its rules. And it screens for SQL-injection attacks and XSS attacks from both the network and application layers to reduce the load on its website. “We now have the true ability to not miss anything,” says Dave Ferrante, senior systems engineer for eVitamins. “AWS WAF works around the clock, automatically blocking anything malicious.”

Although the eVitamins IT team still conducts security audits, AWS WAF has significantly reduced labor costs and time spent on web-application security. “We estimate that AWS WAF has reduced our IT overhead by 90 percent compared to an application-level and manual solution,” says Wick. “With fewer resources dedicated to web security, there is more time available for other projects.”

The company has also saved money through reduction in incidents and website downtime. Wick estimates that attacks on the application layer are reduced by 90 percent. “By maintaining up times and reducing incidents, AWS WAF has been a huge success for our business,” says Wick. “Having literally no website downtime has saved us hundreds of thousands of dollars.”

AWS WAF also delivers significantly faster incident-response time. “We mitigate damage in 90 percent less time since moving to AWS WAF,” says Wick. “Website response time has also increased by about 20 percent,” says Wick. “Now that we’re disciplining bad users and our site isn’t bogged down by malicious activity.”

As eVitamins continues to grow, AWS WAF automatically scales to handle its increased security needs. “We’re getting more traffic to our site than ever before,” says Wick. “And it is so much easier to filter.”

“The AWS WAF Security Automations solution is like a dream come true because it has made security so much easier, better, and more scalable,” says Wick. “We chose AWS WAF because it is a highly cost-effective solution that does what our team can’t do. We talk about it all the time—how did we ever survive before moving over to AWS WAF?”