channeleyes technical whitepaper

1

THE CHANNELEYES TECHNICAL WHITEPAPER

TechnicalWhitepaper

2


INSIDE the ChannelEyes Technical WhitePaper

ChannelCandy Platform 3

A New Vision for B2B Mobility 6

Industry Leading Tools 9

Technical and Security Architecture 12

Integrations with Third Party Applications 18

Development & Testing 19

Getting Started with ChannelCandy 21

How the App Works - Simple Version 22

3


ChannelCandy Platform

The ChannelCandy platform provides a secure set of services focused on managing and analyzing your indirect sales channel. The platform breaks down into three major pieces:• Mobile Application• Content Management System• Analytics Platform

Mobile Application

The mobile application is a hybrid app built with HTML5 technology and the industry standard packaging tool, Phone Gap. This allows us to provide an agile solution that updates and enhances the users experience, without requiring them to initiate an upgrade of the app itself.

The app communicates securely over an SSL connection to our cloud infrastructure, providing the highest level of encryption for your business information. With full native support for IOS and Android, and mobile web support for Blackberry and other devices, our mobile platform works for almost all smartphone users

4


Content Management System

Our CMS is a browser-based application built on Ruby on Rails. It provides a secure portal for content managers and creators to manage and distribute assets to their channel partners. Access can be controlled for individual users based on security profiles.

The CMS provides multiple services for the Channel Manager and Content Creators including:

• Managing the Social Wall Feed• Administering the Document Repository• Managing Gamification• Managing Engagement Programs• And many other functions

Analytics Platform

Our Analytics platform provides the tools and information to manage and improve your indirect sales team. Access to the Analytics engine can be restricted to the appropriate users. The analytics and management platform allows users services including:

• Identifying Underperforming partners• Understanding the effectiveness of marketing collateral• Forecasting future activities• Collecting unique pre-sales information• And many others

The Analytics Engine is a Ruby on Rails application and also adheres to our strict security policies.

5


User Authentication

ChannelCandy supports both the Oauth and SAML standards for user authentication. This can be a real benefit to your IT staff because of the integration is straight forward and can be accomplished in less than a few hours with minimal resources. If your current systems don’t support either of these standards, the ChannelCandy can act as a registration and management engine for your partners.

A New Vision For B2B Mobility The ChannelCandy app is a custom

branded mobile app designed for Ven-dors, Distributors and Associations to deliver Channel highlights, company news and sales tools into the hands of Channel Partners. Developed by the team at ChannelEyes, it is reinventing Channel communication for leading firms in our industry.

7


Simplify Management

View analytics to predict the next best action for you and your team. Understand partner behavior using real time data. Use secure login, an Easy Content Management System, and integrations to your current systems, including SalesForce.

Simplify Communication Take communication to a new level with push notifications and a community wall consisting of social posts, comments, and private groups. Amplify your brand by syndicating news and announcements through your partners person-

al networks.

Simplify Enablement

Our configurators, quoting, locator, and deal registration tools help everyone to stay in-volved and connected. With pitch tracker, part-ners can check in when they have completed a product demo or sales call.

Simplify Motivation

Use gamification to reinforce the right behav-iors. Award badges when missions are fulfilled such as completing a survey, or even set up a points system where they could work towards something small like a gift card.

ChannelCandy runs on iPhone, iPad, Android as well as all mobile web enabled platforms such as BlackBerry, Windows and the PC Web Browser.

The mobile app delivers an innovative way to:

8


Technical Architecture - Quick Summary

Details Notes

Device Support Apple iPhone, iPad, Android phones and tablets. Blackberry and Windows Phone Support is included through a mobile enhanced website. Ask about direct support options.

Architecture Hybrid App with a Native Wrapper and Cross-Platform diplay controller. Business logic runs on the ChannelCandy Server.

Allow dynamic changes to the ChannelCandy App without a resubmission to the Apple or Google Play Store.

Push Notification Mobile Messaging provides Direct Message Support to Aplle IOS and Android devices when the App is installed from the App stores. User must accept permission to receive messages.

Provides a way to notify your users in the message section of your phone without entering the Chan-nelCandy App. Upgrade available for rich-push notifications.

Hosting/Cloud Platform

EngineYard manages ChannelCandy cloud computing resources, deployment infrastructure, elasticity, backups, disaster recovery, and ongoing performance of our high availability database clusters all with 24/7 infrastructure support.Database: Amazon EC2/Web Services Platform

We focus our time building great Apps for Vendors and let the experts manage the infrastructure.

Uptime & Scalability

ChannelCandy provides 5-9s of Availability and automatically scales to utilize burst capacity when needed.

2014: Uptime was 100%

User Limit There are no physical user limits for a ChannelCandy App.

Annual License fees are determined by number of partner companies/domains.

Communication Protocol

Supports HTTPS Provides bidirectional encryption of communications between the mobile device and the ChannelCandy Server.

User Security 3 methods to validate Username and Password- Remote Authentication Module-Upload a Whitelist of Authorized Users-Invite and Manage users Manually*Does NOT support non-business email domain

Remote authentication is an add-on module that provides single sign-on between ChannelCandy and Vendors backend system. Supports OAuth SSO or custom call. Successful API call returns user security levels and profile info to the App.

Development Environment

- Mobile User Experience: Sencha Touch- Development Environment: Ruby on Rails- Source Code Management: Git Hub- Deep Metrics: Google Analytics

ChannelCandy was designed from the ground up using industry leading development tools and technology.

API (Programmer Interface)

Comprehensive APIs for single sign-on and access to event information and news wall content.

Contact your ChannelEyes Production Coordinator for more information.

Add-on Modules In addition to the core platform features, you can enfance your CHannelCandy App with any number of add-on modules including:- Deal Registration and Form Builders- Product Card Carousel- Community Walls and Forums- Multi-Persona/Language - SalesForce.com and other integrations- Event Agenda/Speakers/Sponsors- Self Service or Managed Ad-server for sponsors

Contact a ChannelEyes Sales Representative for a complete list of add-on modules. Demonstrations can be provided by request.

9


Industry LeadingTools ChannelCandy was developed on

modern, industry-leading platforms. Our vision is a platform that can deliver scalability, reliability and low cost to our customers.

10


Ruby on Rails

The core of the application is built on Ruby on Rails. Rails is an open-source web framework that’s agile and optimized for programmer productivity. It is a full-stack framework: it allows creating pages and applications that gather information from the web server, talk to or query the database, and render templates out of the box. As a result, Rails features a routing system that is independent of the web server.

Ruby on Rails emphasizes the use of well-known software engineering patterns and principles, such as active record pattern, convention over configuration, don’t repeat yourself, and model-view-controller.

Rails uses the Model-View-Controller (MVC) architecture pattern to organize application programming. In a default configuration, a model in the Rails

framework maps to a table in a database, and a Ruby file.

Ruby on Rails provides the framework where new and innovative modules can be built quickly and robustly on the ChannelCandy platform. It includes tools that make common development tasks easier “out of the box”. It also offers our development team flexibility with an open API that can easily integrate with our customer’s communication and operational platforms.

Engine Yard

Engine Yard is an industry leading platform as a service (PaaS) company focused on Ruby on Rails deployment and management.

For ChannelCandy, it handles all the details of pushing the application to the cloud, and monitors the continued operation.

Partnering with Engine Yard brings ChannelEyes Rails expertise, uptime guarantees, performance and scale on AWS – Amazon Web Services.

Sencha Touch

ChannelEyes utilizes Sencha Touch as a user interface JavaScript library, or framework, specifically built for the Mobile Web. We use it to develop user interfaces for mobile web applications that look and feel like native applications on supported mobile devices. It is fully based on web standards such as HTML5, CSS3 and JavaScript.

Sencha Touch aims to enable developers to quickly and easily create HTML5 based mobile apps that work on Android, iOS and BlackBerry devices, and produce a native-app-like experience inside a browser.

11


Amazon Web Services (AWS)

Amazon Web Services is a collection of remote computing (web) services that together make up a cloud computing platform, offered over the Internet by Amazon.com.

ChannelEyes takes advantage of the most central and well-known of these services, Amazon EC2. The service provides us a large computing capacity

much faster and cheaper than building a physical server farm.

AWS is located in 8 geographical Regions:

1. US East (Northern Virginia) 2. US West (Northern California) 3. US West (Oregon) 4. São Paulo (Brazil) 5. Ireland 6. Singapore 7. Tokyo 8. Sydney

Each Region is wholly contained within a single country and all data and services stay within the designated Region giving ChannelEyes global access and local performance.

Each Region has multiple ‘Availability Zones’, which are distinct data centers providing AWS services. Availability Zones are isolated from each other to prevent outages from spreading between Zones,

distributing load demand and avoiding downtime from failures.

PhoneGap

PhoneGap is a mobile development framework owned by Adobe Systems. It enables ChannelEyes to build applications for mobile devices using JavaScript, HTML5 and CSS3, instead of device-specific languages.

The resulting applications are hybrid, meaning that they are neither truly native (because all layout rendering is done via web views instead of the platform’s native UI framework) nor purely web-based (because they are not just web apps, but are packaged as apps for distribution and have access to native device APIs). It is even possible for ChannelEyes to freely mix native and hybrid code snippets.

Twitter Bootstrap

Twitter Bootstrap is a collection of tools for creating websites and web applications.

It contains HTML and CSS-based design templates and gives ChannelEyes a number of different customization options including typography, forms, buttons, charts, navigation and other interface components, as well as optional JavaScript extensions.

Amazon.com

12


Technical and Security Architecure

The ChannelCandy platform is deployed on the Engine Yard Cloud Platform as a Service and is built on top of Amazon Web Services (AWS). Each instance with Engine Yard is a separate AWS instance. Engine Yard Cloud boots this instance and automatically configures it with the appropriate Engine Yard Cloud platform (operating system, application and database) components for the ChannelCandy environment.

13


Other Engine Yard software, including our orchestration and automation engine, handles key functions including cluster management, load balancing, high availability, database replication, and monitoring and alerting.

ChannelEyes is committed to maintaining a safe and secure platform for our customers, business partners, and the broader Internet community.

Working closely with Engine Yard, we have developed an in-house information security and compliance function that complements Engine Yard and the controls that AWS provides.

Each ChannelCandy customer’s data is isolated from other customer’s data. No functionality is shared between virtualized instances. In our dedicated tenancy model, ChannelCandy apps operate in their own data space, including full administrative access - much like a server that is racked in a data center.

Amazon Web Services is responsible for security around the Virtualization layer, Network layer (including DDOS, spoofing, and port scanning mitigation), Physical and environmental security.

AWS provides network security controls, while Engine Yard performs the configuration of the AWS security groups.

Firewalls

Each customer cluster is protected by an AWS security group, which provides ingress network filtering from the broader Internet. By default, all access is denied with only explicitly defined ports and protocols permitted to enter the customer environment. Additionally, customers can choose to configure a host-based firewall (with IPtables being the most commonly used) to further isolate traffic on individual instances.

Distributed Denial of Service (DDoS) Mitigation

ChannelEyes relies on AWS’s proprietary DDoS mitigation techniques to lessen our customer’s exposure to successful DDoS attacks. Also, AWS’s networks are multi-homed across a number of ISPs to provide further Internet access diversity. Engine Yard assists ChannelEyes with an established contractual relationship with Amazon that grants access to AWS dedicated resources to aid in the resolution of security incidents, including DDoS attacks.

14


IP Spoofing

Engine Yard instances are unable to send spoofed network traffic. The AWS controlled firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.Port Scanning

AWS maintains the capability and responsibility for detecting illicit port scans against Engine Yard customer environments. When unauthorized port scanning is detected, AWS blocks the scan and notifies Engine Yard via their abuse process.

ChannelEyes has an established arrangement with AWS that permits our customers to conduct vulnerability scans against their environments in order to meet their specific security or compliance requirements.

Packet Sniffing

The AWS virtualized infrastructure prevents a virtual instance, running in promiscuous mode, to receive or “sniff” traffic that is intended for a different virtual instance.

While customers could place their interfaces into promiscuous mode, the hypervisor will not deliver traffic that is not explicitly addressed

to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic.

Attacks such as ARP cache poisoning do not work within the Engine Yard environment.

More details on AWS’s security can be found at: https://aws.amazon.com/security

Engine Yard is responsible for managing Operating system security, Database security, Network security (ports/protocols), Vulnerability management (including testing and patching) and Support access.

Engine Yard continually looks to improve and enhance its security architecture. Engine Yard subscribes to the PDCA (Plan, Do, Check, Adjust) cycle - a tenant of the ISO 27001 Information Security Management Standard. Through this process, Engine Yard has developed a security strategy (Plan) and related security projects (Do) that address risks identified during the annual risk assessment process (Check).

Additionally, new Engine Yard architecture projects involve the information security and compliance function to assist with risk assessment and controls design in order to mitigate risk to an acceptable level.

https://aws.amazon.com/security

15


More details on Engine Yard’s security can be found at: https://www.engineyard.com/products/cloud/cloud-security

ChannelEyes is responsible for managing Access Control, Application code (non-platform related) and Compliance.

ChannelEyes takes information security seriously and has established information security policies that include requirements on:

• Information security roles and responsibilities

• Policy development, maintenance and distribution

• Information classification• Internet usage and access management• Customer data protection• Risk management and compliance

Our Chief Technology Officer owns ChannelEyes’ information security policies, and delegates multiple operational responsibilities to the Executive team.

Information security policies are reviewed annually, and updated as necessary to address new threats or findings from our risk assessment process. Information security policies are required to be read and acknowledged via signature by all ChannelEyes

personnel. Policies are published on our intranet and are available to all personnel in writing.

ChannelCandy has established three levels of information classification for the organization that applies everywhere that data is stored. Our standard includes requirements, by classification level, for protecting data in transit, data at rest, access, and the handling of information. These classification levels are Public, Sensitive and Confidential. Public data would not cause an adverse impact on our customer’s or their personnel. Examples of this data may be found on social media and on the web, outside the firewall.

Sensitive data requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion. It requires higher than normal assurance of accuracy and completeness.

Channel information that normally sits behind a firewall, partner portal or other type of secure access would fall into this category.

https://www.engineyard.com/products/cloud/cloud

https://www.engineyard.com/products/cloud/cloud

Confidential data is designed for use within the company only and its unauthorized disclosure could seriously affect the company. It is rare that a ChannelCandy app would have this classification.

ChannelEyes does not host customer data in its corporate or remote offices, but rather in AWS data centers that have been certified to meet industry security standards. AWS provides the physical and environmental controls for data centers that handle our customer data.

More information can be found in our Terms of Service and Privacy Policy:

http://channeleyes.com/terms/http://channeleyes.com/privacy/

Our physical infrastructure is hosted and managed by AWS via their secure data centers. AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. AWS’s data center operations have been accredited under:

• ISO 27001• SOC 1/SSAE 16/ISAE 3402 (Previously SAS 70 Type

II)• PCI Level 1• FISMA Moderate• Sarbanes-Oxley (SOX)

AWS has years of experience in designing, constructing, and operating large-scale datacenters. They operate the following controls:

Physical Security

• AWS datacenters are housed in nondescript facilities.• Physical access is strictly controlled both at

the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.

• Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors.

• All visitors and contractors are requiredto present identification and are signed in and continually escorted by authorized staff.

• AWS only provides datacenter access and information to employees & contractors who have a legitimate business need for such privileges.

• When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services.

• All physical access to datacenters by AWS employees is logged and audited routinely.

http://channeleyes.com/terms/

http://channeleyes.com/privacy/

17


Fire Detection and Suppression

• Automatic fire detection and suppression equipment has been installed to reduce risk.

• Fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms.

• Data center environments are protectedby either wet-pipe, double interlocked pre-action, or gaseous sprinkler systems.

Power

• The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week.

• Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility.

• Data centers use generators to provide backup power for the entire facility.

Climate and Temperature

• Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages.

• Data centers are conditioned to maintain atmospheric conditions at optimal levels.

• Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.

Management

• Data center staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified.

• Preventative maintenance is performed to maintain the continued operability of equipment.

18


Integrations with Third Party Applications

As discussed above, ChannelCandy is built on a modern and open platform supporting application programming interfaces (API) from leading vendors in the CRM and PRM (partner relationship) industry as well as OAuth and OAuth 2.0 authorization/authentication security standards.

OAuth is an open standard for authorization. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user).

It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.

OAuth 2.0 is the next evolution of the OAuth protocol and is not backward compatible with OAuth 1.0. OAuth 2.0 provides specific authorization flows for web applications, desktop applications and mobile phones. The specification and associated RFCs are developed by the IETF OAuth WG. The main framework was published in October 2012.

One of the most popular integrations we do is with SalesForce.com. Force.com dramatically reduces the effort to integrate with Amazon Web Services, reducing cost and complexity for our customers. Force.com directly supports Ruby on Rails and the ChannelCandy application environment, combining a framework for authentication, native access to the AWS Simple Storage System and pre-built Amazon Machine Images.

SalesForce.com

Force.com

Force.com

19


Development & Testing

ChannelEyes employs peer programming and review, as well as code “check-in” tools to perform standard bug testing. Multiple staging environments have been established to facilitate proper testing. Additionally, a formalized Quality Assurance (QA) function is established. This business unit organizes structured testing when a major function, feature, or higher risk change is to be introduced into our environment. ChannelEyes maintains processes and tools to roll back changes in case issues arise during a production deployment.

ChannelEyes engages with qualified and reputable third parties to perform penetration tests against key application interfaces. The frequency and areas of testing are commensurate with known risk. Third-party testing traditionally occurs when major changes are introduced that could impact customer data locations (for example the customer’s content management system), or when a particular application or interface has not been tested recently.

As issues are discovered, tickets are filled and remediation is initiated. After fixes are implemented, the third-party conducts retests to ensure that significant risks are mitigated and that no new security weaknesses were introduced during remediation efforts.

20


Business Continuity and Backups

Application code and databases are written out to persistent storage volumes. Engine Yard automatically mounts these volumes and takes backups for our customers. ChannelEyes takes advantage of AWS’s EBS storage allowing us to take regular disk snapshots of both of these volumes. If the need arises to ever rebuild instances from scratch, we have the ability to restore both of these volumes from previous snapshots.

ChannelEyes takes advantage of Engine Yard’s architecture that provides automatic failover that can replace a failed master application instance with an existing application slave. “Takeover” is the Engine Yard failover process for recovering from failure of an application master instance. Takeover occurs when Engine Yard detects that your application master is unable to reliably respond to requests. For example, this can happen because of an AWS

EC2 issue or because the instance froze. If the instance does not recover within a short time, Engine Yard does the following:

• Terminates the problem instance.• Promotes an application slave to master.• Assigns the old master’s IP address to the new master.• Replaces the application slave instance that was promoted. (The new application slave uses the same version of the stack as the other instances in that environment.)

All Engine Yard Cloud supporting infrastructure is located in multiple availability zones. Within the dashboard, customers can select from different regions to establish their computing clusters. Once a region is selected, the Engine Yard provisioning system distributes the instances among multiple AWS availability zones.

21


Getting Started with ChannelCandy

The development of the app is largely turn-key.

The team at ChannelEyes creates and designs the app with initial guidance from the Vendor. The branding of the app, including logos, colors, splash pages, as well as collecting information sources such as Twitter, RSS, blogs, industry magazines, news, etc.

The initial consultation takes between 60 and 90 minutes and focuses on defining roles and responsibilities, collecting marketing assets and outlines the process around integration with the Apple and Android stores.

Discussions around customization of the app start during this consultation session. Outlining the tools, resources and special links to be included in the app, as well as development resources required.

At this time we also can book a technical discussion to review any deeper integrations with enterprise back-end products, security and authentication scenarios as well as the type of end user segmentation/personalization that is required.

ChannelEyes will submit the app into the Apple App Store as well as Google Play Android Marketplace. The app will also be deployed as a mobile website, allowing usage on other mobile platforms such as Windows and Blackberry.

The time from initial consultation to delivery of the basic app is 6 weeks.

Customizations will take longer and will depend on the complexity and development work required.

22


How The App Works

The app will be downloaded by your Partners from the App Store for their device. The company logo and colors will show up as an icon on their home screen. Future improvements and feature additions will be made available and automatically updated through the iOS or Android update mechanism.

There is a notification feature that shows a red circle including the amount of missed messages on the upper right side of the app icon.

When the Partner clicks on the icon they are taken to a security sign on screen. Vendors can easily manage authorizations at the Partner organization level, saving time and ensuring that only trusted people are accessing your information.

Manage Partner invitations to the app multiple ways, including whitelisting or by an OAuth integration.

After the security screen, the Partner will access their main social wall. Here they will see a snapshot of Vendor’s new channel information, news, and updates. They can control the programs they need to follow, filter the information based on their job role and engage with questions or comments.

The Vendor has the flexibility to include content sources such as Twitter, RSS, blogs, and industry news. These highlights can quickly be seen by the Partner and selected for more information. This drives more traffic to Web Portals, marketing sources, and landing pages.

23


Customizing the App

ChannelCandy is a platform that can be easily expanded to include the tools, resources and enablement features to drive new levels of engagement by Channel Partners.There are several options for incorporating new functions into the app:

1. Link directly to mobile ready pages. (example: HTML 5)

2. Build forms that can transfer information securely back to the Vendors internal systems (example: deal registration)

3. Build mobile features directly into the app. Other ways to customize the app are to change the log in screen and add advertisements into the social stream. Announcing new products, programs, or co-marketing with another company is possible within the app.

The ChannelEyes team will work with the Vendor on different custom options and recommend solutions that blend a great Partner experience with cost effectiveness.

Learn more at:

http://channeleyes.com

or call: (518) 203-3030

http://channeleyes.com

channeleyes technical whitepaper

Business

channelcandy app

mobile platform

management platform

mobile web support

app stores

custom branded mobile

functions analytics

channelcandy server