executive-blog

January 29, 2010

Security and Plan B

Security is not a thing to be taken lightly. Think about the information that is stored on your server; think about how many months or years worth of data is stored in your databases. Your account information holds a master key to all of this data on your server. This is the very reason this information is protected so closely by the SoftLayer staff.

All companies work very hard to make sure that their products and services are as easy to use as possible. While on the other hand, security works as hard as possible to, seemingly, make the product or service difficult to use. While it is never our intention to make any service difficult to use, it is our intention to make them secure. This is the very reason why, when we are presented with any questions via phone that are sensitive to the operation of your server or account we ask the inconvenient questions to make sure the person on the other end of the phone line is authorized to make the requested changes to the account or the server.

Up to this point this article has not been as light hearted as I had originally intended, but it’s all about being prepared. The point is, everyone deserves a vacation at some point or another (or believes they do), and according to Murphy’s Law, something will inevitably occur that requires immediate attention. When you’re enjoying that time on the beach, your mind a million miles from bits and bytes, and you miles from anything that can be used to properly manage your server or your account an issue can occur.

While you are out, have you made proper provisions to ensure someone can manage your hardware in your place? Your staff may have the passwords for the servers, IP addresses, and may be able to drop your name; but, I assure you this is not enough information for the SoftLayer support staff to submit a ticket, reboot, or log into your server on your behalf. Have you made sure that in a panic situation someone will be able to provide us with the answers to the security questions on the phone? Are you sure whoever is left in charge has been given the proper permissions in our management portal? Making sure these points have been thoroughly covered prior to your vacation, or even leaving for the day, will help you minimize risk while maximizing your beach vacation.

January 25, 2010

Convenience Kills?

Have you seen the new Brita commercials that have the girl running on the treadmill? The tag line says something like, “1 hour on the treadmill.” Then a new tagline appears right above a store bought water bottle and says, “in the landfill for life.” That is a telling commercial. Convenience kills our planet. Before bottled water we grabbed a glass or plastic cup, filled it up and drank it, washed it, then rinsed and repeated it. Nothing went to the landfill. Even further back, and I barely remember this one, my grandfather would walk my brother and I over to a tiny little drug store close to his house; and, we could get a Dr. Pepper from a soda fountain in a glass soda cup and drink it and leave the glass behind for the next customer. You got it—nothing in the landfill. The same goes for coffee now. Cup after cup from a drive through window and where do the cups go? The landfill. In the past, you had a mug to use again and again. Cell phones? Why, yes! They are culprits too. We used to simply use a wall phone and not have to worry about upgrading it every 2 years and getting a new battery once a year. We now fill landfills with phones, chargers, and wasted batteries. If you look closely at everything I have mentioned so far, they are all designed to make our lives more and more convenient.

 

With so many people using convenient things today, we at SoftLayer do the best we can to make things very convenient but also do our part for the globe. We only print things on paper when absolutely necessary. Not only do we save a tree, but it is much more secure. Everyone recently received a plastic cup with the SoftLayer logo on it for water or tea. We can use these instead of using so many disposable plastic cups. We have recycle bins in each break room for the recyclables; and, as we have stated in many blogs, we have contracts in place with recycling shops for the extra server packaging we receive with new shipments. We do our best to stick to the 3 R’s—reduce, reuse, and recycle.

So how does SoftLayer continue making our service so convenient without being wasteful? I am glad you asked! Instead of going out and buying home servers, or desktop servers—which seems to be the newest craze—and then having to throw away all the unused documentation and un-used packing materials, we simply choose to team up with Supermicro. They are a server manufacturer that listens to their customers needs and provides solutions as well as design flexibility, rapid order fulfillment, and superior quality. We are no longer relegated to do what the other server manufacturers force on other customers. This gives us the freedom of convenience while still being green. Does it make our competitors green with envy? Sure it does. That is why there are lower price points offered in the hosting market by our competitors still using workstations, desktop and home servers instead of enterprise class, high efficiency, and low power consuming servers. The efficiency of our servers allows us to have very dense server rooms with a smaller footprint, which saves on power consumption for cooling as well. Last but not least, by using rack mount servers instead of towers, Supermicro has worked with us to reduce the packing materials by 80%—resulting in an eight pound reduction in the total weight of each server.

At SoftLayer we take pride in making convenient, green IT; and with Supermicro as a great partner, we continue to do just that.

January 22, 2010

A Little History Lesson and Reflection

In this industry, it seems very easy to get in the rut of looking forward without stopping to take the time and look back. Whether it is a project deadline or just planning for the future, past accomplishments sometimes get lost in the day to day workload. I remember back on January 23rd of 2006—exactly four years ago tomorrow—when we opened the doors. We had 17 employees and around 1,000 servers in our one and only Dallas server room. With just 17 employees you can imagine we wore many hats, and I will not miss or take for granted prepping racks such as putting cage nuts or rails in ever again.
From our humble beginnings, things grew at a rapid pace to say the least. Over the last four years, we have grown to 175 employees, 25,000+ servers spanning facilities in Dallas, Seattle, and Washington D.C. and just recently passed $100 million annualized run rate mark. Not too shabby for four years, if I do say so myself.
The product and service offering have grown at an astounding pace as well. Thanks in part, I think, to our API—launched publicly in May of 2007. Was that over two years ago? It seems like yesterday. On top of that, there have been too many individual products to list here. Some highlights would fall into the areas of: CloudLayer, StorageLayer, backup solutions, and security solutions—just to name a few!
Looking forward I think 2010 is going to be a big year for SoftLayer, not that the past years haven’t been. I cannot get into any details; but, as usual there are big plans on the horizon, and you know we aren’t planning on slowing down anytime soon. Looking back, it has been a packed and crazy four years, but I would not trade it for anything.

January 21, 2010

2010 PCI Compliance and You

I know you already know everything about PCI compliance, especially the if’s, and’s, and but’s that go along with it. But, just in case you forgot, here it is in a nutshell.
Is PCI compliance a Federal law? Nope! Not yet anyway. Some states do make it a crime to let credit card data “be” stolen.
What is PCI? It is actually PCI DSS and it stands for Payment Card Industry Data Security Standard.
Who needs it? Anyone that accepts, transmits, or stores ANY credit card data.
Are there different levels? Yes, I am glad you asked.

  • Level 4 – Any merchant processing fewer than 20,000 credit card e-commerce transactions in a 12 month period
  • Level 3 – 20,000 up to 1 Million transactions
  • Level 2 – 1 Million up to 6 Million
  • Level 1 – 6 million + (or any merchant that Visa feels should meet level 1 to minimize risks) This is what we are all striving for, right?

Who cares if you are PCI compliant? For starters, YOU should! And secondly, your merchant bank will care. They will care more the larger you get. See minimize risks statement above.
Since it isn’t a federal law should I risk it, because I know my security and I am impenetrable? I wouldn’t take that risk because you can still pay fines, card replacement costs, and pay for forensic audits, etc if someone were to get in and steal data.
How can SoftLayer help? For starters and a quick level 4 fix you can go here and get free scanning on a single IP. Combine that with a “quick” questionnaire about your physical and data security policies and voila, no onsite visit needed and you are now PCI Level 4. Mcafee can help you with you higher level compliance if you would like. Don’t take the questionnaire too lightly because remember you do care about PCI!
Ok so if you have made it this far then you must like boring reading. Go read this. It might come in handy someday. It is the “do this if you get hacked” cheat sheet.
On to 2010! MasterCard stepped up in 2009 and stated that even their Level 2 merchants had to have an onsite QSA assessment by December 31, 2010. That has now been pushed to June 30, 2011. There seems to be some confusion from the other Credit Card companies and they didn’t all jump on board. One thing that they did all agree on is that you can’t put credit card info on WEP secured wireless at all after July 2010. Just don’t do it! And don’t use old un-patched payment applications because they are insecure and will not be allowed after July as well.
This could all change just like Texas weather. If you don’t like the new rules, then just wait a couple of days and they may change it more to your liking. There are still a few things they are looking at going forward that I will let you in on and then I assure you I will stop typing. PCI 1.2 is still about stopping hackers from getting in, there is a new interest in the community on addressing “internal” hackers. The current focus of PCI is aimed at card data “after” authorization but doesn’t say much about card data that is kept prior to authorization, so you can bet that will be added soon too and of course cloud infrastructure and card data has to be on everyone’s radar screen soon.

January 20, 2010

Hosting for Haiti

SoftLayer is joining the online project Hosting for Haiti in an effort to raise awareness and funding for the American Red Cross. The earthquakes in Haiti on January 12 and the resulting aftershocks have left the country devastated.

The American Red Cross is dedicated to providing emergency relief and recovery to help those affected by the disaster.

This project is a joint effort between hosting providers like ourselves. Peer1 Hosting, GoGrid, The Planet, ServInt, and Rackspace are all involved in helping with donations and spreading awareness. If you would like to get involved, follow the info link at http://hostingforhaiti.com/.

Follow on Twitter: @hostingforhaiti or use the hashtag #hostingforhaiti.

January 20, 2010

Mexican Food vs. On Demand Infrastructure

My friend Ric Moseley has an interesting theory regarding Mexican food. He claims that all Mexican food has the same basic major components, each dish just stacks the components up in different ways. The major components are tortillas, meat and sauce. Of course there are a couple of different ways to prepare each of these components, but in the end, it really boils down to tortillas, meat and sauce. This applies to just about every main-line dish you find on the menu at any number of the local Tex-Mex restaurants. Crispy tacos, soft tacos, enchiladas, tostadas, burritos, fajitas, nachos, quesadillas, flautas, tamales (well almost)... Add more here... I'm going to stop myself before I start sounding like Benjamin "Bubba" Bufford-Blue from Forrest Gump, but you get the idea. By no means am I knocking the combined assembly. Quite the opposite; I'm a huge fan! When it comes down to it, I appreciate the creativity that is involved in putting these ingredients together in such a manner that the finished combination is far greater than the sum of its parts.

And that kind of leads me back to what SoftLayer brings to the table, so to speak. SoftLayer provides all sorts of components for the modern enterprise. Plenty of folks use them as is, heck who doesn't enjoy a warm fresh tortilla with a pad of butter. However, for many people, it’s just an appetizer. The real satisfaction is from the combination of the united components when that steaming plate of enchiladas arrives. One of the great satisfactions of my job is seeing how our customers roll up our components in new and creative ways. The array of application deployments that are hosted by SoftLayer is entirely staggering. Let me throw on my digital chef hat for a minute. Start with a private network database, add public network servers, mix in some cloud computing for quick scalability, and wrap it all in a load balancer. Que bueno! That's some good cooking, and this chef is off to the margarita machine!

January 18, 2010

Maintnenance FTW

I am a bit of an automotive enthusiast, so when I'm not working, I do spend a fair amount of time browsing automotive websites. I, like many people in the hosting industry, crave information. I like hearing about new design directions, emerging technologies, and past stories about others' experiences with their vehicles. While browsing, I came across some images of the guts of a BMW that had gone in excess of 60 thousand miles without an engine oil change. Needless to say, the internals were slathered with a gummy sludge and the engine was ruined.

Many technologies we use these days have become so common place and are operationally intuitive enough that we are often able to figure them out and use them without ever having to crack open an owner’s manual. I bring this up because, many technologies in the hosting industry follow suit. There are a number of developers who create software that is designed to make it easy to host websites. They are marketed as the only solution you ever need and, in some cases, imply that all you need to know is how to use a web browser to successfully host websites, not only for oneself but a plethora of other clients too! The servers run themselves, and you only need to spend a few minutes setting your clients up! It's like free money!

Unfortunately, as the owner of the previously mentioned BMW found out, this is not the case. There are a lot more things going on behind the scenes than just seats and a steering wheel, as are the same with servers. On occasion, we receive support tickets that just say "the site stopped working." In an attempt to gather more information, we will often ask the client a wide range of questions that help us find the problem faster and come up with the best possible solution. However, sometimes the answer from the customer is, "I haven't touched or logged into the server in days/ months/ (hopefully not) years." The more relevant metaphor for this is, "I haven't changed my BMW's oil in years!" Servers are like any other complex machine. They require constant maintenance. This includes: updating anti-virus definitions, monitoring bandwidth usage for anomalous spikes, rotating logs out if they are getting too large (provided some other rotation scheme is not already in place), keeping an eye on disk space usage, and creating a disaster recovery plan and backups. So take some time, get to know your server, and familiarize yourself with good preventative maintenance techniques. Your server, your clients, and your BMW (if applicable) will love you for it.

January 15, 2010

API in Real Life

An API (application programming interface) is an interface that allows software programs to communicate with each other. The communication barrier between programs has become thinner as APIs have evolved over the recent decades, like our languages have over the years. At SoftLayer, we have plenty of opportunities to interact with many different APIs from various companies. Some of us work with a driver API, some work with SOAP, or some work with XML-RPC for some projects. If you’re our customer, I bet you can easily imagine the number of APIs we use by looking at the products and services we offer. Not only are we a large API consumer, but we also provide a great number of APIs to our own customers. It seems that the interaction between software programs evolves just like our lives.

It’s hard to survive alone in this world. We are social beings, and we need others for interaction. A software program pretty much works the same way. There is no program that is a know-it-all or do-it-all. If there were one like that, I would not have a job. Software can expand its capabilities by working with other programs just like we, as humans, help each other. APIs act as a communication tool like our languages; and, by the way, there are many dialects too.

When a program starts to interact with another through API, it can be compared to a marriage. They are stuck together. However, programs can marry many others. When two programs start to interact, one cannot change its API without the other knowing. It would be as if your wife started talking to you in Danish all of a sudden. Even a small change in an API can cause a very bad outcome. Imagine that your wife told you to throw your socks in the laundry basket and you have been following this rule for years. Can you imagine what would happen if you left your socks by the bed one day? No, it simply wouldn’t work. If you really need to change the rule, it’s time to consider a divorce, in other words, API version 2. As I mentioned, a program can have multiple partners and you can’t expect them to follow new rules all at once. Your best bet would be to write a version 2 and keep the original version for old times’ sake. Trust me, people are very hesitant when it comes to changing their routine, including me. (Why should I touch a working program just because you updated YOUR API?)

Most APIs that I have used and seen are wonderful. I have seen APIs that work like a jack-of-all-trades, trying to do everything for me, but I didn’t like it. I would not like a BLT with onions, eggs and mustard. I just wanted a B.L.T, period! I have also seen APIs that require too many prerequisite steps (invocations) to get a simple result. How many times must you get transferred until you finally get someone to help with your phone bill? Jeez!

Ok, enough of these funny comparisons. I, a biased user, have listed below what I think is a good API:

  • A good API should not change often. If change is inevitable, it should give you plenty of notice and allow backward compatibility.
  • A good API should explain why it couldn’t work instead of the infamous “Error: -1”.
  • A good API should have good documentation, so you’re not left scratching your head.
  • A good API is accessible by different platforms.
  • A good API should be stable.
  • A good API should be simple and comprehensive. It should do what it says it does and it should do it well. Prefer “powerOn()” over “powerOnWhenIdleAndStartServices()”.

A good API implies the readiness of communication with other programs and other companies. It will broaden opportunities for your programs and organization to work with others, just like a person with good communication skills has a better chance of fitting in our society.

January 13, 2010

Always Have a Backup Plan...

Everyone always says it’s a good idea to have a backup plan just in case your primary plan bites the dust. I couldn’t agree more. Recently my personal Xbox 360 failed and this has caused plenty of grief in my household. I used my Xbox to stream content from Windows Media Player on my desktop to the TV (via Media Center edition of Windows XP). This has worked great and has been able to provide me with a means to entertain my child. Of course, this going out has caused a screaming baby because now she can’t watch her “movies”.

Now, had I had a proper backup plan, this wouldn’t be an issue. See, I put all of my trust into a single device and/or single method to accomplish something. When this device failed, my operation came to a halt. I didn’t listen to the advice I’m always telling our customers… have a backup or backup plan. This is where our “extra services” come into play. Not only do we offer backup solutions (eVault, NAS…) but we also offer solutions that allow you access to high-availability configurations (Citrix XenServer, for example). With XenServer you can configure a cluster of systems and setup automatic failover. This would prevent any major outages of your website/services. If this isn’t something you think would work for you, utilizing eVault backups might. We now offer eVault Bare Metal Restore. Now, the problem is somehow applying these to my Xbox so my kiddo can go back to watching her movies... Long story short, don’t rely on a single solution. Always have a backup plan or system in place to prevent headaches in the future. You won’t regret it if you do.

Categories: 
January 12, 2010

SLXXXXX Twitter Log

8/24/2009 1:00PM – Just ordered 3 more servers from SL. Man I love how easy it is to order, and the provisioning time is incredible.

8/24/2009 11:45PM – Got the new servers setup; now I have redundancy for my app. G’nite.

9/04/2009 8:00AM – Suhweet, just passed 50K users for my app. Hitting the pool.

9/21/2009 6:42PM – Oops, app crashed too many users. Recovering now. Thank goodness for monitoring alerts.

9.21/2009 8:13PM – Sorry all, app back up. SL CloudLayer really helped. Their portal makes it all easy.

9/22/2009 3:13AM – Ok stayed up late tonight and added new functionality to the app and added a new app server, geographic load balancing baby!

10/6/2009 2:45PM – Thanks for all the support on the app, keep the new ideas coming. 450K users and growing.

10/31/2009 5:50PM – Happy Halloween! 627K users. Thank you!!

11/14/2009 6:02AM – Getting close 989K users. Party at 1 Million. Just added 2 new front end servers in each DC, adding cloud storage now for Data replication/protection.

11/21/2009 7:31AM– It’s finally here 1 Mil. Party time! Isn’t ad revenue the greatest. The in game pay to play money is fun too. Thanks all!

12/10/2009 4:42PM – Still growing. I was alerted that one server crashed. No users affected. Technology is cool.

12/18/2009 9:16PM– ‘Bout to go silent for the Holidays. Hope you all have good ones. See you at 1.5 million when I return.

12/19/2009 7:00AM – Decided to add a couple more cloud instances for good measure. App is smoking fast.

12/31/2009 10:45PM – Monitoring just hit my phone, at party will check asap.

12/31/2009 11:00PM – Found a netbook at the party. App is crashed. Looking.

12/31/2009 11:07 PM – WT? All servers down, hard down. SL up and friend app good on SL network. Investigating, sorry for outage.

12/31/2009 11:10 PM – Hackers? Not sure all servers affected. Ping only. Had very secure. No problem before.

12/31/2009 11:29PM – Portal password got hacked. Intruders OS reloaded every server with RedHat, turned off all CCI.

1/04/2009 6:00AM – Happy New Year, mine sucked – app back – 5000 daily users. Sad day.

While the above is completely fictional, it could happen to just about anyone. Don’t let it happen to you. No matter how long and how secure you think your password is, there is someone out there who can crack it. It is one thing keeping a server secure and most technical geniuses are very adept at doing just that. With all the time and effort it takes to keep your servers secure, you might find that you have slipped in other areas. SoftLayer is here to help in VIP Style.

The cutting edge SoftLayer portal now has optional Two Factor Authentication support using VeriSign’s Identity Protection. First, what is Two Factor Authentication? It is defined as, “something you know (password) and something you HAVE (pin number of sorts).” Here is how it works:

You buy a physical device in the form of a keychain token or a credit card token; or in the cool age of technology, you can simply get one of the free phone apps that do the same thing for you without the extra piece of equipment to carry. Once you get the device/app you would go to the portal and register the token’s unique ID and attach it to a username on the account. The master user gets this FREE and then if you want other users on your account to have this functionality it is $3 per user per month. If the master user does turn on this functionality no one else will be allowed into the system without using two factor authentication. Once this is setup, the user will login using their “known” password and then they will also have to enter the “code” (the thing you have) on the token device or phone app to gain access. The code changes on a fast schedule so this is extremely secure. This would have made the New Year’s celebration for the person above much more fun.

One last thing, since we partnered with VeriSign you can use the token device or phone app for different sites that use the VeriSign product. PayPal is one example. Here is a complete list.

Now that you know about it, and now that we offer it, don’t be the guy that doesn’t keep the portal secure and misses out on a Happy New Year!

Pages

Subscribe to executive-blog