At Ellie Mae, our top priority is the success of our customers. As part of our continued commitment to improve stability, performance and scalability for our customers, we will begin leveraging Amazon Web Services (AWS), the leader in cloud computing, to provide online services starting in October 2019.
Cloud and AWS Overview
What is a public cloud?
A form of cloud computing in which a company relies on a third-party cloud service provider for servers, data storage and applications, among other services, which are in turn delivered to the company through the internet. Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure are some of the leading public cloud providers.
What kind of cloud infrastructure does Velocify by Ellie Mae have today and why the transition to Amazon Web Services?
Velocify by Ellie Mae currently runs its Velocify applications on a private cloud infrastructure hosted by Terremark, located at facilities in Texas. While our private cloud data centers have historically served our purposes, we have experienced some challenges with scalability, elasticity and reliability. It places physical constraints on what changes can be made on hardware within the data center and bounds software designs to those constraints. It also inhibits the ability to react to outages, capacity needs, disasters and other infrastructural life cycle events within a short period of time. Lastly as a managed service IBM personnel is needed to make any changes to the physical infrastructure of the data center.
For these reasons, the organization has decided to leverage a public cloud infrastructure on AWS to take advantage of the increased benefits it offers. Moving to AWS shifts the infrastructure paradigm from physical constraints to logical constraints. Logical constraints are fully controllable within code and are able to offer the service offerings provided by AWS. This means the pace at which we can adjust is fully within the control of the infrastructure code not physical infrastructure.
Some additional benefits of an AWS environment are:
- Scale compute, storage, memory and the network more rapidly and dynamically.
- Improved High Availability across three isolated zones per region. Terremark has just one zone. High Availability helps to ensure that enterprise workloads are protected from planned and unplanned outages.
- Redesign and provision components that leverage AWS services that are very purpose built. Some examples:
- Realize greater computing efficiency (e.g., Lambda functions that trigger actions based on actions)
- Spin up resources only when needed (e.g., serverless computing)
- Security enhancements (e.g. FIPS-140-L3 everywhere at rest, transit, etc.)
- Build custom applications (e.g. AWS Kinesis Data Streams for Messaging)
- Improve the design of existing code/product designs to leverage service based offerings that provide more possibilities for application enhancement.
Why Amazon Web Services?
Amazon Web Services (AWS) is the leading provider of cloud infrastructure and will be a technology partner that will help deliver our solutions and services with the utmost availability, performance, reliability, scalability and security.
What is Ellie Mae’s relationship with AWS?
Ellie Mae currently partners with AWS for IaaS (Infrastructure as a Service) and is leveraging AWS technology services to build and operate Ellie Mae products and services. Velocify by Ellie Mae believes we have an opportunity to leverage our existing in-house AWS expertise to improve our products’ stability and performance.
Will the move to AWS impact Velocify’s performance?
Velocify by Ellie Mae’s migration to AWS will not have a direct impact on application performance, and all of our applications are load tested to ensure they meet strict internal SLA requirements for processes. In addition, with the AWS regions in slightly different geographic regions from our current datacenter, customers may benefit from reduced latency dependent on their internet providers.
What is the timeframe of this move in terms of our account and data?
Velocify by Ellie Mae will begin transitioning our customers in weekly batches to AWS starting in late October and will be completed by early December.
How will I be notified of the AWS transition plan and schedule?
An email communication will be sent to your organization’s system administrator and executive contacts, which will include a high-level schedule and a webinar invitation for more information.
You will receive notification via email prior to your scheduled move with the date and migration window time.
How will the transition to AWS be different for existing customers vs. new customers?
This will be a seamless transition for all Ellie Mae customers. Leveraging AWS is controlled at the network and application layer and is performed by Velocify by Ellie Mae.
How will the move to AWS affect my day-to-day operations?
We do not expect any changes to the day to day operations of the Velocify platform. Your organization’s URLs will not change and will be automatically ported over. For reference, the new login will be lm.velocify.com. Needed redirects/configurations will be handled by the application, with some exceptions:
- IP Whitelisting: If you leverage IP whitelisting, you may need to add additional URL/IP’s to your exception block. There will be no automatic handling of IP whitelisting.
IP addresses to whitelist:
If you whitelist the outbound connections to Velocify by IP, those IPs will change next week when we shut down the Terremark datacenter. The new IPs will be hosted through the Akamai CDN service, so will not have fixed IPs. The recommendation is to whitelist the Velocify URLs. For customers that utilize whitelists for traffic inbound from Velocify, those services are already hosted in AWS and do not require any additional action.
- SAML SSO: Your SAML SSO login URL will need to be updated from https://lm.velocify.com/web/samllogin.ashx to https://lm.prod.velocify.com/web/samllogin.ashx
Note: If we’ve identified you as an SSO customer, your account manager will reach out with specific instructions and timing regarding when to update the URLs.
Should I expect there to be any downtime or will my Velocify solution be unavailable at any time during the transition?
We will be migrating your Velocify instance after business hours. During the cutover event access to your Velocify instance will be unavailable and you will not be able to login. We anticipate the cutover event will last up to 5 hours within your migration window. If you need to know the exact time your instance will be moved, please contact your Velocify Account Manager.
Will lead delivery from our website or third-party lead providers to Velocify be impacted??
No, your lead traffic flowing into your Velocify instance will not be impacted. Leads will be held during the scheduled downtime and released immediately following the move. They will continue to be delivered the same way they are today following the migration.
However, if your lead provider is using an HTTP end point, please work with your partners to change to HTTPS prior to December 2019, as it will not be supported in AWS.
How will the mass import of cache leads be handled during the migration?
Lead import will receive the leads and try to post to the appropriate place. If the database is unavailable due to migration, then it will queue the lead and attempt to import ever 15 minutes. This also applies if you have the “Post During Import” checkbox selected.
Will there be any impact to our scheduled jobs, reports or programs?
No, any scheduled jobs, reports or programs will continue to run and once the migration is complete, they will be automatically updated.
If I have an Encompass integration with Velocify, do I need to update my IP ranges?
Yes you do. Follow the steps listed below:
- Go to file > Select Settings Manager.
- Click Allow from certain IPs – Enable.
- Click the Add + icon (top right corner) and make sure the Apply to Encompass Connect checkbox is selected
This must be applied to all users.
Will anything happen to my other Ellie Mae product integrations?
If you have any Ellie Mae integrations e.g. Encompass, Consumer Connect, Encompass CRM they will continue to work.
However, if you use Encompass via the Velocify XML Poster rather than the built-in integration, you will need to change your URL from encompass.velocify.com to encompass.prod.velocify.com within their outgoing post to Encompass.
What changes will our partners be required to make?
There are currently no changes anticipated for our partners to make unless they are using an HTTP end point. Please work with your partners to change to HTTPS prior to December 2019, as it will not be supported in AWS.
For import.aspx or update.aspx please reference the example in the question below.
For web services/API calls please reference the details under the “Are the endpoints for APIs changing?” question.
Are the endpoints for import.aspx or update.aspx (lead import service/update service) changing?
No, we do not expect any changes to the endpoints for import.aspx. However, if you are using an HTTP end point, you should change it to HTTPS prior to December 2019 as it will not be supported in AWS.
Are the endpoints for APIs changing?
No, however we will not support HTTP end points post migration to AWS.
We have seen increased latency in large lead batch requests between our Terremark DC that are automatically routed to AWS.
To address latency and future proof your API endpoints, please move off the current endpoints to the new endpoints on AWS after your migration or prior to December 2019:
What is the impact on existing third-party API integrations?
There will be no changes. We will keep the API integrations the same as they are today and the same SLAs will be supported. However, we will not support HTTP end points post migration to AWS.
Are there any changes to the automated data extract?
No, they will continue to work and the data flows will stay the same.
Will the Velocify pages or priority views change?
All the pages and views will remain the same.
Will we have to do anything different if we have an internal server?
No, your internal server will continue to communicate with our servers the same way.
If we are already an existing AWS client, would we be able to transfer and store our Velocify records/data into our own AWS account?
At this time we do not support putting data into a customer’s AWS account and it is not in our current roadmap.
If you have any questions please email firstname.lastname@example.org or contact your Velocify by Ellie Mae Account Manager.
Backup, Data, and Security
How does AWS impact data storage and encryption policies?
Encryption policies continue to be enhanced and expanded to address the security and data concerns in the public and private cloud. The data will continue to be encrypted in the public cloud just as it has been in the private cloud, however the technologies used for the encryption may change to support the increased availability, scale and integrity requirements.
AWS will not change to our data retention or encryption key process and policies. As we are leveraging different technologies in some case the method used to encrypt the data/interface with the keys has and will change but will not have a material impact to the data encryption policy.
Does AWS affect data backup policies, such as backup times, availability of backups, and storage locations of backups?
Ellie Mae stores three copies of all data. This model will not change in AWS with data being stored in at least two US based regions with a cold archive copy in a third region. Backups and backup availability will not change with our transition to AWS.
Will client data remain in the United States at all times?
Yes, all Ellie Mae’s client data is always stored in United States. AWS is broken down into Regions and Availability zones. A Region being a geographic area, and availability zones being multiple data centers in a designated region.
Ellie Mae is leveraging three regions US- WEST-2 (Oregon), US-EAST-1 (Virginia) and US-East-2 (Ohio). Ellie Mae also leverages multiple availability zones within each given region and has disabled the ability to spin up resources in any other region not approved.
Will Ellie Mae be providing SOC 2 and related security, disaster recovery, audit and related due diligence of AWS to clients?
Ellie Mae has been a SOC 2 certified organization since 2012 and we will continue to go through SOC certification every year which includes Ellie Mae hosting on AWS. In addition to that, AWS also maintains SOC certifications for Infrastructure, but Ellie Mae cannot provide SOC 1 and SOC 2 reports for AWS directly.
If you have an AWS account already or can sign up for one at aws.amazon.com, you can request a copy of their SOC reports directly through AWS Artifact Service in your AWS account.
In addition, a large overview of AWS’s security controls, control mappings and resources are publicly available at https://aws.amazon.com/security.
The Security model for AWS is a shared responsibility model and will be reflected in our future SOC 2 reports as well. Ellie Mae will take advantage of multiple regions and availability zones in the AWS cloud provides to address high availability and disaster recovery. Data retention requirements do not change between public and private cloud, but the method the data is stored may change to take advantage of the public cloud. Ellie Mae will invest in improving Recovery Point (RPO) and Recovery Time Objectives (RTO) in AWS.
What security standards or frameworks does AWS comply with today?
Amazon Web Services holds more than 20 domestic and international compliance accreditations, including SOC, PCI and ISO, among others, which allows Ellie Mae to build more security controls on top of the existing controls at the infrastructure layer. Please see below for list of compliance certifications that AWS maintains (reference: https://aws.amazon.com/compliance).
Does AWS meet or exceed the same security standards as Velocify by Ellie Mae’s existing data centers?
Ellie Mae built our security program on ISO27001 which follows the guidelines provided in:
- FFIEC Information Technology Examination Handbook for Information Security
- NIST Cyber Security Framework
SOC 2 Trust Principles, are similar standards as AWS. AWS standards also meet personal health data, Department of Defense security and European data privacy standards. Combining Ellie Mae’s application expertise and robust security controls with infrastructure provider like AWS increases the security of our service and ensures we meet the strongest compliance requirements.
Does Ellie Mae remain responsible for securing customer data?
Yes. AWS provides robust controls to ensure security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance responsibilities will be shared between Ellie Mae and AWS. Ellie Mae is, and will remain, directly responsible for securing our customers’ data and will continue with Service Organization Controls attestations for Ellie Mae products and services.
Is any borrower information hosted or accessed at any time by AWS?
AWS has no access to any Ellie Mae data, borrower or otherwise. In addition. Ellie Mae encrypts all Personally Identifiable Information (PII) data and the key is secured in Ellie Mae’s private cloud. Ellie Mae employs industry-standard encryption that meets FIPS-140 compliance requirements.
Who should I call if I have any issues with my applications after moving to AWS?
Ellie Mae clients should continue to use the current process for requesting information from their Velocify by Ellie Mae Account Manager and help from Technical Support.
For critical issues you can leverage our dedicated Afterhours Migration Support line at 888-334-0627.
If you need technical assistance during normal business hours, contact our standard Velocify Support line at 844-327-3296.
More questions? Please email any questions to email@example.com.
Additional AWS reference materials: