Introductions Posts

I know you already know everything about PCI compliance, especially the if’s, and’s, and but’s that go along with it. But, just in case you forgot, here it is in a nutshell.
Is PCI compliance a Federal law? Nope! Not yet anyway. Some states do make it a crime to let credit card data “be” stolen.
What is PCI? It is actually PCI DSS and it stands for Payment Card Industry Data Security Standard.
Who needs it? Anyone that accepts, transmits, or stores ANY credit card data.
Are there different levels? Yes, I am glad you asked.

• Level 4 – Any merchant processing fewer than 20,000 credit card e-commerce transactions in a 12 month period
• Level 3 – 20,000 up to 1 Million transactions
• Level 2 – 1 Million up to 6 Million
• Level 1 – 6 million + (or any merchant that Visa feels should meet level 1 to minimize risks) This is what we are all striving for, right?

Who cares if you are PCI compliant? For starters, YOU should! And secondly, your merchant bank will care. They will care more the larger you get. See minimize risks statement above.
Since it isn’t a federal law should I risk it, because I know my security and I am impenetrable? I wouldn’t take that risk because you can still pay fines, card replacement costs, and pay for forensic audits, etc if someone were to get in and steal data.
How can SoftLayer help? For starters and a quick level 4 fix you can go here and get free scanning on a single IP. Combine that with a “quick” questionnaire about your physical and data security policies and voila, no onsite visit needed and you are now PCI Level 4. Mcafee can help you with you higher level compliance if you would like. Don’t take the questionnaire too lightly because remember you do care about PCI!
Ok so if you have made it this far then you must like boring reading. Go read this. It might come in handy someday. It is the “do this if you get hacked” cheat sheet.
On to 2010! MasterCard stepped up in 2009 and stated that even their Level 2 merchants had to have an onsite QSA assessment by December 31, 2010. That has now been pushed to June 30, 2011. There seems to be some confusion from the other Credit Card companies and they didn’t all jump on board. One thing that they did all agree on is that you can’t put credit card info on WEP secured wireless at all after July 2010. Just don’t do it! And don’t use old un-patched payment applications because they are insecure and will not be allowed after July as well.
This could all change just like Texas weather. If you don’t like the new rules, then just wait a couple of days and they may change it more to your liking. There are still a few things they are looking at going forward that I will let you in on and then I assure you I will stop typing. PCI 1.2 is still about stopping hackers from getting in, there is a new interest in the community on addressing “internal” hackers. The current focus of PCI is aimed at card data “after” authorization but doesn’t say much about card data that is kept prior to authorization, so you can bet that will be added soon too and of course cloud infrastructure and card data has to be on everyone’s radar screen soon.

SoftLayer is joining the online project Hosting for Haiti in an effort to raise awareness and funding for the American Red Cross. The earthquakes in Haiti on January 12 and the resulting aftershocks have left the country devastated.

The American Red Cross is dedicated to providing emergency relief and recovery to help those affected by the disaster.

This project is a joint effort between hosting providers like ourselves. Peer1 Hosting, GoGrid, The Planet, ServInt, and Rackspace are all involved in helping with donations and spreading awareness. If you would like to get involved, follow the info link at http://hostingforhaiti.com/.

Follow on Twitter: @hostingforhaiti or use the hashtag #hostingforhaiti.

An API (application programming interface) is an interface that allows software programs to communicate with each other. The communication barrier between programs has become thinner as APIs have evolved over the recent decades, like our languages have over the years. At SoftLayer, we have plenty of opportunities to interact with many different APIs from various companies. Some of us work with a driver API, some work with SOAP, or some work with XML-RPC for some projects. If you’re our customer, I bet you can easily imagine the number of APIs we use by looking at the products and services we offer. Not only are we a large API consumer, but we also provide a great number of APIs to our own customers. It seems that the interaction between software programs evolves just like our lives.

It’s hard to survive alone in this world. We are social beings, and we need others for interaction. A software program pretty much works the same way. There is no program that is a know-it-all or do-it-all. If there were one like that, I would not have a job. Software can expand its capabilities by working with other programs just like we, as humans, help each other. APIs act as a communication tool like our languages; and, by the way, there are many dialects too.

When a program starts to interact with another through API, it can be compared to a marriage. They are stuck together. However, programs can marry many others. When two programs start to interact, one cannot change its API without the other knowing. It would be as if your wife started talking to you in Danish all of a sudden. Even a small change in an API can cause a very bad outcome. Imagine that your wife told you to throw your socks in the laundry basket and you have been following this rule for years. Can you imagine what would happen if you left your socks by the bed one day? No, it simply wouldn’t work. If you really need to change the rule, it’s time to consider a divorce, in other words, API version 2. As I mentioned, a program can have multiple partners and you can’t expect them to follow new rules all at once. Your best bet would be to write a version 2 and keep the original version for old times’ sake. Trust me, people are very hesitant when it comes to changing their routine, including me. (Why should I touch a working program just because you updated YOUR API?)

Most APIs that I have used and seen are wonderful. I have seen APIs that work like a jack-of-all-trades, trying to do everything for me, but I didn’t like it. I would not like a BLT with onions, eggs and mustard. I just wanted a B.L.T, period! I have also seen APIs that require too many prerequisite steps (invocations) to get a simple result. How many times must you get transferred until you finally get someone to help with your phone bill? Jeez!

Ok, enough of these funny comparisons. I, a biased user, have listed below what I think is a good API:

• A good API should not change often. If change is inevitable, it should give you plenty of notice and allow backward compatibility.
• A good API should explain why it couldn’t work instead of the infamous “Error: -1”.
• A good API should have good documentation, so you’re not left scratching your head.
• A good API is accessible by different platforms.
• A good API should be stable.
• A good API should be simple and comprehensive. It should do what it says it does and it should do it well. Prefer “powerOn()” over “powerOnWhenIdleAndStartServices()”.

A good API implies the readiness of communication with other programs and other companies. It will broaden opportunities for your programs and organization to work with others, just like a person with good communication skills has a better chance of fitting in our society.

8/24/2009 1:00PM – Just ordered 3 more servers from SL. Man I love how easy it is to order, and the provisioning time is incredible.

8/24/2009 11:45PM – Got the new servers setup; now I have redundancy for my app. G’nite.

9/04/2009 8:00AM – Suhweet, just passed 50K users for my app. Hitting the pool.

9/21/2009 6:42PM – Oops, app crashed too many users. Recovering now. Thank goodness for monitoring alerts.

9.21/2009 8:13PM – Sorry all, app back up. SL CloudLayer really helped. Their portal makes it all easy.

9/22/2009 3:13AM – Ok stayed up late tonight and added new functionality to the app and added a new app server, geographic load balancing baby!

10/6/2009 2:45PM – Thanks for all the support on the app, keep the new ideas coming. 450K users and growing.

10/31/2009 5:50PM – Happy Halloween! 627K users. Thank you!!

11/14/2009 6:02AM – Getting close 989K users. Party at 1 Million. Just added 2 new front end servers in each DC, adding cloud storage now for Data replication/protection.

11/21/2009 7:31AM– It’s finally here 1 Mil. Party time! Isn’t ad revenue the greatest. The in game pay to play money is fun too. Thanks all!

12/10/2009 4:42PM – Still growing. I was alerted that one server crashed. No users affected. Technology is cool.

12/18/2009 9:16PM– ‘Bout to go silent for the Holidays. Hope you all have good ones. See you at 1.5 million when I return.

12/19/2009 7:00AM – Decided to add a couple more cloud instances for good measure. App is smoking fast.

12/31/2009 10:45PM – Monitoring just hit my phone, at party will check asap.

12/31/2009 11:00PM – Found a netbook at the party. App is crashed. Looking.

12/31/2009 11:07 PM – WT? All servers down, hard down. SL up and friend app good on SL network. Investigating, sorry for outage.

12/31/2009 11:10 PM – Hackers? Not sure all servers affected. Ping only. Had very secure. No problem before.

12/31/2009 11:29PM – Portal password got hacked. Intruders OS reloaded every server with RedHat, turned off all CCI.

1/04/2009 6:00AM – Happy New Year, mine sucked – app back – 5000 daily users. Sad day.

While the above is completely fictional, it could happen to just about anyone. Don’t let it happen to you. No matter how long and how secure you think your password is, there is someone out there who can crack it. It is one thing keeping a server secure and most technical geniuses are very adept at doing just that. With all the time and effort it takes to keep your servers secure, you might find that you have slipped in other areas. SoftLayer is here to help in VIP Style.

The cutting edge SoftLayer portal now has optional Two Factor Authentication support using VeriSign’s Identity Protection. First, what is Two Factor Authentication? It is defined as, “something you know (password) and something you HAVE (pin number of sorts).” Here is how it works:

You buy a physical device in the form of a keychain token or a credit card token; or in the cool age of technology, you can simply get one of the free phone apps that do the same thing for you without the extra piece of equipment to carry. Once you get the device/app you would go to the portal and register the token’s unique ID and attach it to a username on the account. The master user gets this FREE and then if you want other users on your account to have this functionality it is $3 per user per month. If the master user does turn on this functionality no one else will be allowed into the system without using two factor authentication. Once this is setup, the user will login using their “known” password and then they will also have to enter the “code” (the thing you have) on the token device or phone app to gain access. The code changes on a fast schedule so this is extremely secure. This would have made the New Year’s celebration for the person above much more fun.

One last thing, since we partnered with VeriSign you can use the token device or phone app for different sites that use the VeriSign product. PayPal is one example. Here is a complete list.

Now that you know about it, and now that we offer it, don’t be the guy that doesn’t keep the portal secure and misses out on a Happy New Year!

Hi, I am the newbie and just wanted to start off saying thank you to everyone for making me feel so welcome. I have really enjoyed my first week here at SoftLayer. I can honestly say, this is the most exciting and fun job I have had. SoftLayer should win the Best Places to Work in DFW for 2010!

I think the best part about starting right before the holidays is getting to share the holiday cheer with all my new co-workers. As most people know, most companies get busy around the holidays which can cause tension and stress in the workplace. Coming into SoftLayer one of the major things I liked is that no matter how busy we are there is still a sense of peace and calmness; this is a great asset in a workplace.

As most would know, when you first start out at a new company you need to do research to learn about your new company and the industry it is involved in. These first few days I have been reading a bunch of different articles and websites to learn more about what SoftLayer does and to get a feel for the industry. I have to say I am still rather confused. There are so many technical terms and Wikipedia doesn’t pick up on all of them (ha ha). The more research I do, though, the more I pick up on certain things. I still have more to learn but I am eager and excited to learn more about SoftLayer and the industry. Now off to do more research!

Imagine this… You’ve decided to move to a new location, experience a new culture, and try new things. Let’s pretend for this particular instance that you’ve decided to take a trip to Magrathea to get away from it all. After a few weeks you start picking up a few local phrases, learn the native idiosyncrasies, and assimilate yourself into the culture of the Magratheans. Later you notice that you’ve assimilated quite well, and what used to be weird, different, and sort of scary has become second nature to you. You then can talk the talk and walk the walk.

Such is a similar case here at SL. You start, and regardless of the knowledge level coming in (I hadn’t been exposed to the web hosting industry before my tenure began here at SL), you feel a bit overwhelmed. The people, the culture and even the SLanguage is slightly different from the rest of the world. We move faster, work harder, and laugh more than the average technician. While at first glance life here at SL seems overwhelming, soon one realizes that they’re starting to get it together. Soon the pieces start to come together, and it only snowballs from there.

I’ll never forget my training. The new hardware, the IPMI, the automated provisions… it all seemed so unreal, confusing, and at times crazy. After working in depth for some time, I began to get the hang of things, and then I was able to solve more and more complex problems, and eventually teach the trainees the ways of the SLayer, and the cycle would continue. I’ve since taken on new responsibilities, and continue to learn new things every day – all through exposure. I guess what I’m trying to convey here is that regardless of how well you think you know something, nothing teaches like exposure and immersion into a particular topic.

Is there anything SoftLayer can’t do!!?? Of course not! It seems every day I come to work there is something new that we are offering. Today, I came in ready to read up on any new products we might have released, and to my surprise, we now have a clothing line! Can you believe it!? SoftLayer now has clothing for employees. This includes everything from sweatshirts, to polo’s, to t-shirts, to hats, to specialized shirts, including workout shirts. I must say I find the workout shirts ironic considering the number of employees that actually workout. I believe the number is 3…oh wait…maybe 4. I’m not sure how many golfers we have, but the ones who do golf will look good in their SL gear. I hope the SoftLayer clothing line is opened up to the public soon as I would love to see my company represented in the mall by a random “Joe” who appreciated an amazing company. It is truly exciting seeing a company go from several employees in a “closet” and one server room, to a huge entity with a multitude of server rooms, multiple datacenters in multiple locations, a huge array offerings, a cutting edge mentality, a solid track record, a commitment to be the best in the business, and yes, now offers a clothing line. SoftLayer has taken a huge bite out of the on-demand data center and hosting industry and continues to hunger for more. I guess now is the time to put the top clothing manufacturers on notice as SoftLayer is comin’ for ya!

Some mornings after work when the weather is nice I’ll go to a local coffee shop on the way home to read or study for the CCNA exams. Sometimes I’ll just end up pulling out the netbook and browse around online. There are times during these outings when I’ll get asked the title question of this blog: is that a real computer? I guess the size that throws people but the answer is yes.

For those who are not familiar with the netbook class of systems here are the specs for mine:

• 10.2 inch screen
• 1 GB RAM
• 1.6GHz Intel Atom processor
• 160GB SATA hard drive
• 3 USB ports
• Card reader
• Built-in Wifi
• Built-in webcam
• Windows XP (I’ve got plans for Windows 7)
• 5 hour battery life
• Light weight (I’ve got books that weigh more)

Netbooks are great for when you’re just knocking around town and might want to do some light web work. This morning while at Starbucks I’ve checked e-mail several times, caught up on the daily news, and reviewed the game statistics from the Cowboys game I missed last night. Other mornings I’ve fired up a VPN connection into the office and been able to remotely help with tickets, work on documentation for our SSL product and tinker around with a NetScaler VPX Express virtual machine (an interesting bit of tech for a later article).

So how does this tie into server hosting?

You’ve probably had a time when your monitoring has indicated a service ceasing to respond on a server. If all you have is a cell phone the options are somewhat limited. With a fancy enough phone you might have an SSH or RDP client but do you really want to do anything on a PDA sized screen? I didn’t think so. You can put in a ticket from your phone and our support can help out but the person best able to fix a service failure is still going to be you, the server administrator who knows where all the bodies are buried and how the bits tie together.

A small netbook can be a lightweight (and inexpensive) administration terminal for your servers hosted with us. Just find an Internet connection, connect up to the SoftLayer VPN and now you have complete access to work on your servers via a secure connection.

Through the wonders of the IPMI KVM this access even includes the console which opens up the possibility of doing a custom kernel build and install safely, while sitting under the stars, drinking a hot chocolate and watching the local nightlife.

Sounds like a pretty nice reality to me.

I won’t pretend to know the ins and outs of the cloud software we use (okay, maybe a little ,) but I know the gist of it as far as hardware is concerned- redundancy. Entire servers were the last piece of the puzzle needed to complete entire hardware redundancy. In my original article, Hardwhere?, (http://theinnerlayer.softlayer.com/2008/hardwhere/) I talked about using load balancers to spread the load to multiple servers (a service we already had at the time) and eluded to cloud computing.

Now cloud services are a reality.

This is a dream come true for me as the hardware manager. Hardware will always have failures and living in the cloud eliminates customer impact. Words cannot describe what it means to the customer. Never again will a downed server impact service.

Simply put, when you use a SoftLayer CloudLayer Computing Instance, your software is running on one or more servers. If one of these should fail, the load of your software is shifted to another server in the “cloud” seamlessly. We call this HA or High Availability.

If there is a sad part to all of this, it would be that I have spent considerable effort optimizing the hardware department to minimize customer downtime in the even on hardware failures. But I have a rather odd way of looking at my job. I believe the end game of any job I do is complete automation and/or elimination of the task altogether. (Can you say the opposite of job security?) I have a going joke where I say: “Until I have automated and/or proceduralized everything down to perfection with one big red button, there is still work to be done!”

Cloud computing eliminates the customer impact of hardware failures. Bam! Even though this has nothing to do with my hardware department planning, policies and procedures, I have no ego in the matter. If it solves the problem, I don’t care who did the work and was the genius behind it all, as long as it moves us forward with the best products and optimal customer satisfaction!

We have taken the worry out of hosting- no more deciding what RAID is best. No more worrying about how to keep your data available in the event of a hardware failure. CloudLayer does it for you and has all the same service options as a dedicated server and more! One more step to a big red button for the customer!

Now back to working on the DC patrol sharks (they keep eating the techs!) New project- tech redundancy!

Over the past 10 years, I’ve run or helped run all sizes of web sites and internet applications. I’ve seen everything from single-page brochure web sites to horizontally scaled interactive portals. And what I’ve learned is that it is all about the end-user experience.

I’m not a graphics specialist or a GUI designer. I just don’t have that in my DNA. I focus more on the technical side of things working on better ways to deliver content to the user. And in the purely technical area, the best thing to do to improve the user experience is to improve the delivery speed to the user.

There are a lot of tools out there that can be used to speed up delivery. CDN, for example, is an awesome way to get static content to an end user and is very scalable. But what about scaling out the application itself?

Traditionally, a simple Layer-4 Load Balancer has been a staple component of scalable applications. This type of Load Balancing can provide capacity during traffic peaks as well as increase availability. The application runs on several servers and the load balancer uses some simple methods (least connections, round robin, etc) to distribute the load. For a lot of applications this is sufficient to get content reliably and quickly to the end user. SoftLayer offers a relatively inexpensive load-balancing service for our customers that can provide this functionality.

There is another, more sophisticated, tool that can be used to manage internet application traffic. That is the “Application Delivery Controller” (obligatory Wikipedia link: http://en.wikipedia.org/wiki/Application_Delivery_Controller) or “Load Balancer on Steroids”. This class of traffic manager can act in Layer-7, the data layer. These devices can make decisions based on the actual content of the data packets, not just the source and destination.

And an ADC can do more than load balance. It can act as a Web Application Firewall to protect your data. It can speed up your application using SSL Offloading, Content Caching, TCP Optimization, and more. This type of device is very smart and very configurable and will help in the delivering the application to the end user.

At SoftLayer we have seen our customers achieve a lot of success with our Layer-4 Load Balancer product. But we are always looking for other tools to help our customers. We always have admired the advanced functionality in the appliance-based Application Delivery Controllers on the market. Finding a way to get this enterprise-grade technology to our customers in an affordable manner was problematic. When Citrix announced that they were going to create a version of their NetScaler product that didn’t require an appliance we were thrilled. With the announcement of the NetScaler VPX we finally thought we had found the right product that we could use to affordably provision this advanced technology on-demand to our customers.

SoftLayer is VERY excited to partner with Citrix to provide the NetScaler VPX Application Delivery Controller to our customers. Our customers can order a NetScaler VPX, and in a matter of minutes be managing the delivery of their online applications using one of the most sophisticated tools on the market. Citrix does a better job of promoting the product than I do, so here is the link to their site: http://citrix.com/English/ps2/products/product.asp?contentID=21679&ntref=hp_nav_US.

Remember, it’s all about the experience of the user at the other end of the wire. Find the right tools to manage that experience and you are most of the way there. Oh yeah, and find a good graphics designer too. That helps. So does good content.

-@nday91