Posts Tagged 'Security'

February 28, 2012

14 Questions Every Business Should Ask About Backups

Unfortunately, having "book knowledge" (or in this case "blog knowledge") about backups and applying that knowledge faithfully and regularly are not necessarily one and the same. Regardless of how many times you hear it or read it, if you aren't actively protecting your data, YOU SHOULD BE.

Here are a few questions to help you determine whether your data is endangered:

  1. Is your data backed up?
  2. How often is your data backed up?
  3. How often do you test your backups?
  4. Is your data backed up externally from your server?
  5. Are your backups in another data center?
  6. Are your backups in another city?
  7. Are your backups stored with a different provider?
  8. Do you have local backups?
  9. Are your backups backed up?
  10. How many people in your organization know where your backups are and how to restore them?
  11. What's the greatest amount of data you might lose in the event of a server crash before your next backup?
  12. What is the business impact of that data being lost?
  13. If your server were to crash and the hard drives were unrecoverable, how long would it take you to restore all of your data?
  14. What is the business impact of your data being lost or inaccessible for the length of time you answered in the last question?

We can all agree that the idea of backups and data protection is a great one, but when it comes to investing in that idea, some folks change their tune. While each of the above questions has a "good" answer when it comes to keeping your data safe, your business might not need "good" answers to all of them for your data to be backed up sufficiently. You should understand the value of your data to your business and invest in its protection accordingly.

For example, a million-dollar business running on a single server will probably value its backups more highly than a hobbyist with a blog she contributes to once every year and a half. The million-dollar business needs more "good" answers than the hobbyist, so the business should invest more in the protection of its data than the hobbyist.

If you haven't taken time to quantify the business impact of losing your primary data (questions 11-14), sit down with a pencil and paper and take time to thoughtfully answer those questions for your business. Are any of those answers surprising to you? Do they make you want to reevaluate your approach to backups or your investment in protecting your data?

The funny thing about backups is that you don't need them until you NEED them, and when you NEED them, you'll usually want to kick yourself if you don't have them.

Don't end up kicking yourself.

-@khazard

P.S. SoftLayer has a ton of amazing backup solutions but in the interested of making this post accessible and sharable, I won't go crazy linking to them throughout the post. The latest product release that got me thinking about this topic was the SoftLayer Object Storage launch, and if you're concerned about your answers to any of the above questions, object storage may be an economical way to easily get some more "good" answers.

February 21, 2012

Startup Series: Distil

As you may have read in one of my previous posts, SoftLayer partners with various startup accelerator programs around the world. This gives us the incredible opportunity to get up close and personal with some of the brightest entrepreneurs in the tech industry. Because SoftLayer grew out of a classic startup environment, we have a passion for helping new companies achieve their goals. From C-level execs all the way down the chain, we're committed to finding the best innovators out there and mentoring them on their way to success.

We're planning a pretty big public debut for the SoftLayer startup program in the coming months, but we want to start introducing you to some of the killer startup companies we already are working with. Today's incredible business: Distil.

Distil

Distil is currently enrolled in the TechStars Cloud Accelerator program, where SoftLayer CSO George Karidis, CTO Duke Skarda, and I serve as mentors. After meeting the guys at Distil, I couldn't wait to get them set up with us as well.

Here's a quick insight into the company from a quick Q&A with the brains of the operation, Rami Essaid, Founder and CEO of Distil:

Q: Tell me a little bit about Distil and how you got started.

A: Distil is the first content protection network that helps companies identify and block malicious bots from harvesting and stealing their data. We started after talking to online publishers about their security needs, and we quickly realized that digital publishers had no control over their content once they put it on the web. We started working to create the first platform aimed to help them protect and control their information.

Q: When was the moment you first recognized you had a big idea?

A: It happened after presenting our proof of concept to a couple digital publishers, the enthusiastic feedback we received made us instantly realize that this was it.

Q: How did you build your company?

A: The company started as an after-work hobby. As the platform picked up momentum, we slowly started leaving our jobs to devote all of our time to Distil. We quickly raised seed capital to help fuel our growth.

Q: What are the keys to your Distil's success?

A: The team I have at Distil is absolutely the reason for our success. Each person's hard work, energy, and dedication allow us to accomplish twice as much in half the time. This group of guys is the most intelligent and keen I have ever had the pleasure of working with.

Q: How would you describe the market for your product?

A: Distil is a technology solution to a problem that traditionally only relied on laws and litigation. Copyright infringement has been an issue on the web since the World Wide Web was started, but up until now most companies treated the data theft reactively. We are disrupting that way of thinking and creating a new market, protecting data and content proactively before it is ever stolen.

Q: How did you arrive at SoftLayer and how have we helped?

A: We were connected to SoftLayer through the TechStars Cloud Accelerator program. We were introduced to SoftLayer's leadership team, and they worked with us to improve our platform performance and tweak our designs to utilize both dedicated and cloud servers. By using this hybrid solution, we've been able to gain the power and speed of dedicated servers while still having the flexibility to burst and scale on demand.

Q: What advice would you give to other startups?

A: The best advice I can give to any startup is to make sure they're passionate about what they're doing. Startup life is not easy. You work 16-20 hours a day, seven days a week, have very little money, and are always worried someone else will beat you to the prize. Passion is the only reason you get up in the morning.

Learn more about Distil at distil.it.

In my short conversation with Rami, I could hear his passion. That's exactly what we're looking for in companies who join the SoftLayer startup program. We can't wait to see what the future holds for Distil.

If you enjoy reading about cool new startups, bookmark the Startups page here on the SoftLayer Blog or subscribe to the "Startups" RSS feed to meet some of the most badass startups in the world.

Calling All Startups!

Companies in our program receive mentoring, best practices advice, industry insight, and tangible resources including:

  • A $1,000 per month credit for dedicated hosting, cloud hosting or any kind of hybrid hosting setup
  • Advanced infrastructure help and advice
  • A dedicated Senior Account Representative
  • Marketing support

If you're interested in joining our program and getting the help you deserve, shoot me an email, and we'll help you start the application process.

-@PaulFord

January 3, 2012

Hosting Resolutions for the New Year

It's a new year, and though only real change between on January 1 is the last digit in the year, that change presents a blank canvas for the year. In the past, I haven't really made New Year's resolutions, but because some old Mayan calendar says this is my last chance, I thought I'd take advantage of it. In reality, being inspired to do anything that promotes positive change is great, so in the spirit of New Year's improvements, I thought I'd take a look at what hosting customers might want to make resolutions to do in 2012.

What in your work/hosting life would you like to change? It's easy to ignore or look past small goals and improvements we can make on a daily basis, so let's take advantage of the "clean slate" 2012 provides us to be intentional about making life easier. A few small changes can mean the difference between a great day in the office or a frantic overnight coffee binge (which we all know is so great for your health). Because these changes are relatively insignificant, you might not recognize anything in particular that needs to change right off the bat. You might want to answer a daunting question like, "What should you do to improve your work flow or reduce work related stress?" Luckily, any large goals like that can be broken down into smaller pieces that are much easier to manage.

Enough with the theoretical ... let's talk practical. In 2012, your hosting-related New Year's resolutions should revolve around innovation, conservation, security and redundancy.

Innovation

When it comes to hosting, a customer's experience and satisfaction is the most important focus of a successful business. There's an old cliche that says, "If you always do what you've always done, you'll always get what you've always gotten," and that's absolutely correct when it comes to building your business in the new year. What can you change or automate to make your business better? Are you intentionally "thinking outside the box?"

Conservation

The idea of "conservation" and "green hosting" has been written off as a marketing gimmick in the world of hosting, but there's something to be said for looking at your utilization from that perspective. We could talk about the environmental impact of hosting, and finding a host that is intentional about finding greener ways to do business, but if you're renting a server, you might feel a little disconnected from that process. When you're looking at your infrastructure in the New Year, determine whether your infrastructure is being used efficiently by your workload. Are there tools you can take advantage of to track your infrastructure's performance? Are you able to make changes quickly if/when you find inefficiencies?

Security

Another huge IT-related resolution you should make would be around security. Keeping your system tight and locked up can get forgotten when you're pushing development changes or optimizing your networking, so the beginning of the year is a great time to address any possible flaws in your security. Try to start with simple changes in your normal security practices ... Make sure your operating systems and software packages are regularly patched. Keep a strict password policy that requires regular password updates. Run system log checks regularly. Reevaluate your system firewall or ACL lists.

All of these safety nets may be set up, but they may not be functioning at their best. Even precautions as simple as locking your client or workstation when not in use can help stop attacks from local risks and prying eyes ... And this practice is very important if you keep system backups on the same workstations that you use. Imagine if someone local to your workstation or client was able to retrieve your backup file and restore it ... Your security measures would effectively be completely nullified.

Redundancy

Speaking of backups, when was your most recent backup? When is your next backup? How long would it take you to restore your site and/or data if your current server(s) were to disappear from the face of the Earth? These questions are easy to shrug off when you don't need to answer them, but by the time you do need to answer them, it's already too late. Create a backup and disaster recovery plan. Today. And automate it so you won't have the ability to forget to execute on it.

Make your objectives clear, and set calendar reminders throughout the year to confirm that you're executing on your goals. If some of these tasks are very daunting or difficult to implement in your current setup, don't get discouraged ... Set small goals and chip away at the bigger objective. Progress over time will speak for itself. Doing nothing won't get you anywhere

Happy New Year!

-Jonathan

December 30, 2011

The Pros and Cons of Two-Factor Authentication

The government (FISMA), banks (PCI) and the healthcare industry are huge proponents of two-factor authentication, a security measure that requires two different kinds of evidence that you are who you say you are ... or that you should have access to what you're trying to access. In many cases, it involves using a combination of a physical device and a secure password, so those huge industries were early adopters of the practice. In our definition, two-factor authentication is providing "something you know, and something you have." When you're talking about national security, money or people's lives, you don't want someone with "password" as their password to unwittingly share his or her access to reams valuable information.

What is there not to like about two-factor identification?

That question is one of the biggest issues I've run into as we continue pursuing compliance and best practices in security ... We can turn on two-factor authentication everywhere – the portal, the vpn, the PoPs, internal servers, desktops, wireless devices – and make the entire SoftLayer IS team hate us, or we can tell all the admins, auditors and security chiefs of the world to harden their infrastructure without it.

Regardless of which direction we go, someone isn't going to like me when this decision is made.

There are definite pros and cons of implementing and requiring two-factor authentication everywhere, so I started a running list that I've copied below. At the end of this post, I'd love for you to weigh in with your thoughts on this subject. Any ideas and perspective you can provide as a customer will help us make informed decisions as we move forward.

Pros

  • It's secure. Really secure.
  • It is a great deterrent. Why even try to hack an account when you know a secondary token is going to be needed (and only good for a few seconds)?
  • It can keep you or your company from being in the news for all the wrong reasons!

Cons

  • It's slow and cumbersome ... Let's do some math, 700 employees, 6 logins per day on average means 4200 logins per day. Assume 4 seconds per two-factor login, and you're looking at 16,800 extra seconds (4.66 hours) a day shifted from productivity to simply logging into your systems.
  • Users have to "have" their "something you have" all the time ... Whether that's an iPhone, a keyfob or a credit card-sized token card.
  • RSA SecureID was HACKED! I know of at least one financial firm that had to turn off two-factor authentication after this came up.
  • People don't like the extra typing.
  • System Administrators hate the overhead on their systems and the extra points of failure.

As you can start to see, the volume of cons out weigh out the pros, but the comparison isn't necessarily quantitative. If one point is qualitatively more significant than two hundred contrasting points, which do you pay attention to? If you say "the significant point," then the question becomes how we quantify the qualitativeness ... if that makes any sense.

I had been a long-time hater of two-factor authentication because of my history as a Windows sysadmin, but as I've progressed in my career, I hate to admit that I became a solid member of Team Two-Factor and support its merits. I think the qualitative significance of the pros out weigh the quantitative advantage the cons have, so as much as it hurts, I now get to try to sway our senior systems managers to the dark side as well.

If you support my push for further two-factor authentication implementation, wish me luck ('cause I will need it). If you're on Team Anti-Two-Factor, let me know what they key points are when you've decided against it.

-@skinman454

December 23, 2011

Back up Your Life: In the Clouds, On the Go

The value of our cloud options here at SoftLayer have never been more noticeable than during the holiday seasons. Such a hectic time of the year can cause a lot of stress ... Stress that can lead to human error on some of your most important projects, data and memories. Such a loss could result in weeks or even years of valuable time and memories gone.

In the past few months, I've gone through two major data-related incidents that I was prepared for, and I can't imagine what I would have done if I didn't have some kind of backups in place. In one instance, my backups were not very current, so I ended up losing two weeks worth of work and data, but every now and then, you hear horror stories of people losing (or having to pay a lot to restore) all of their data. The saddest part about the data loss is that it's so easily preventable these days with prevalent backup storage platforms. For example, SoftLayer's CloudLayer Storage is a reliable, inexpensive place to keep all of your valuable data so you're not up a creek if you corrupt/lose your local versions somehow (like dropping a camera, issuing an incorrect syntax command or simply putting a thumb-drive though the washer).

That last "theoretical" example was in fact was one of the "incidents" I dealt with recently. A very important USB thumb-drive that I keep with me at all times was lost to the evil water machine! Because the security of the data was very important to me, I made sure to keep the drive encrypted in case of loss or theft, but the frequency of my backup schedule was the crack in my otherwise well thought data security and redundancy plan. A thumb drive is probably one of the best examples of items that need an automatic system or ritual to ensure data concurrency. This is a device we carry on us at all times, so it sees many changes in data. If this data is not properly updated in a central (secure and redundant) location, then all of our other efforts to take care of that data are wasted.

My the problem with my "Angel" (the name of the now-washed USB drive) was related to concurrency rather than security, and looking back at my mistake, I see how "The Cloud" would have served as a platform to better improve the way I was protecting my data with both of those point in mind. And that's why my new backups-in-the-cloud practices let me sleep a little more soundly these days.

If you're venturing out to fight the crowds of last-minute holiday shoppers or if you're just enjoying the sights and sounds of the season, be sure your memories and keepsake digital property are part of a well designed SRCD (secure, redundant and concurrent data) structure. Here are a few best practices to keep in mind when setting up your system:

  • Create a frequent back-up schedule
  • Use at least two physically separate devices
  • Follow your back-up schedule strictly
  • Automate everything you can for when you forget to execute on the previous bullet*

*I've used a few different programs (both proprietary and non-proprietary) that allow an automatic back-up to be performed when you plug your "on the go" device into your computer.

I'll keep an eye out for iPhone, Android and Blackberry apps that will allow for automatic transfers to a central location, and I'll put together a fresh blog with some ideas when I find anything interesting and worth your attention.

Have a happy Holidays!

- Jonathan

December 1, 2011

UNIX Sysadmin Boot Camp: Permissions

I hope you brought your sweat band ... Today's Boot Camp workout is going to be pretty intense. We're focusing on our permissions muscles. Permissions in a UNIX environment cause a lot of customer issues ... While everyone understands the value of secure systems and limited access, any time an "access denied" message pops up, the most common knee-jerk reaction is to enable full access to one's files (chmod 777, as I'll explain later). This is a BAD IDEA. Open permissions are a hacker's dream come true. An open permission setting might have been a temporary measure, but more often than not, the permissions are left in place, and the files remain vulnerable.

To better understand how to use permissions, let's take a step back and get a quick refresher on key components.

You'll need to remember the three permission types:

r w x: r = read; w = write; x = execute

And the three types of access they can be applied to:

u g o: u = user; g = group; o = other

Permissions are usually displayed in one of two ways – either with letters (rwxrwxrwx) or numbers (777). When the permissions are declared with letters, you should look at it as three sets of three characters. The first set applies to the user, the second applies to the group, and the third applies to other (everyone else). If a file is readable only by the user and cannot be written to or executed by anyone, its permission level would be r--------. If it could be read by anyone but could only be writeable by the user and the group, its permission level would be rw-rw-r--.

The numeric form of chmod uses bits to represent permission levels. Read access is marked by 4 bits, write is 2, and execute is 1. When you want a file to have read and write access, you just add the permission bits: 4 + 2 = 6. When you want a file to have read, write and execute access, you'll have 4 + 2 + 1, or 7. You'd then apply that numerical permission to a file in the same order as above: user, group, other. If we used the example from the last sentence in the previous paragraph, a file that could be read by anyone, but could only be writeable by the user and the group, would have a numeric permission level of 664 (user: 6, group: 6, other: 4).

Now the "chmod 777" I referenced above should make a little more sense: All users are given all permissions (4 + 2 + 1 = 7).

Applying Permissions

Understanding these components, applying permissions is pretty straightforward with the use of the chmod command. If you want a user (u) to write and execute a file (wx) but not read it (r), you'd use something like this:

chmod Output

In the above terminal image, I added the -v parameter to make it "verbose," so it displays the related output or results of the command. The permissions set by the command are shown by the number 0300 and the series (-wx------). Nobody but the user can write or execute this file, and as of now, the user can't even read the file. If you were curious about the leading 0 in "0300," it simply means that you're viewing an octal output, so for our purposes, it can be ignored entirely.

In that command, we're removing the read permission from the user (hence the minus sign between u and r), and we're giving the user write and execute permissions with the plus sign between u and wx. Want to alter the group or other permissions as well? It works exactly the same way: g+,g-,o+,o- ... Getting the idea? chmod permissions can be set with the letter-based commands (u+r,u-w) or with their numeric equivalents (eg. 400 or 644), whichever floats your boat.

A Quick Numeric chmod Reference

chmod 777 | Gives specified file read, write and execute permissions (rwx) to ALL users
chmod 666 | Allows for read and write privileges (rw) to ALL users
chmod 555 | Gives read and execute permissions (rx) to ALL users
chmod 444 | Gives read permissions (r) to ALL users
chmod 333 | Gives write and execute permissions (wx) to ALL users
chmod 222 | Gives write privileges (w) to ALL users
chmod 111 | Gives execute privileges (x) to ALL users
chmod 000 | Last but not least, gives permissions to NO ONE (Careful!)

Get a List of File Permissions

To see what your current file permissions are in a given directory, execute the ls –l command. This returns a list of the current directory including the permissions, the group it's in, the size and the last date the file was modified. The output of ls –l looks like this:

ls -l Output

On the left side of that image, you'll see the permissions in the rwx format. When the permission begins with the "d" character, it means that object is a directory. When the permission starts with a dash (-), it is a file.

Practice Deciphering Permissions

Let's look at a few examples and work backward to apply what we've learned:

  • Example 1: -rw-------
  • Example 2: drwxr-x---
  • Example 3: -rwxr-xr-x

In Example 1, the file is not a directory, the user that owns this particular object has read and write permissions, and when the group and other fields are filled with dashes, we know that their permissions are set to 0, so they have no access. In this case, only the user who owns this object can do anything with it. We'll cover "ownership" in a future blog, but if you're antsy to learn right now, you can turn to the all-knowing Google.

In Example 2, the permissions are set on a directory. The user has read, write and execute permissions, the group has read and execute permissions, and anything/anyone besides user or group is restricted from access.

For Example 3, put yourself to the test. What access is represented by "-rwxr-xr-x"? The answer is included at the bottom of this post.

Wrapping It Up

How was that for a crash course in Unix environment permissions? Of course there's more to it, but this will at least make you think about what kind of access you're granting to your files. Armed with this knowledge, you can create the most secure server environment.

Here are a few useful links you may want to peruse at your own convenience to learn more:

Linuxforums.org
Zzee.com
Comptechdoc.org
Permissions Calculator

Did I miss anything? Did I make a blatantly ridiculous mistake? Did I use "their" when I should have used "they're"??!!... Let me know about it. Leave a comment if you've got anything to add, suggest, subtract, quantize, theorize, ponderize, etc. Think your useful links are better than my useful links? Throw those at me too, and we'll toss 'em up here.

Are you still feeling the burn from your Sysadmin Boot Camp workout? Don't forget to keep getting reps in bash, logs, SSH, passwords and user management!

- Ryan

Example 3 Answer

September 27, 2011

The Challenges of Cloud Security Below 10,000 Feet

This guest blog was contributed by Wendy Nather, Research Director, Enterprise Security Practice at The 451 Group. Her post comes on the heels of the highly anticipated launch of StillSecure's Cloud SMS, and it provides some great context for the importance of security in the cloud. For more information about Cloud SMS, visit www.stillsecure.com and follow the latest updates on StillSecure's blog, The Security Samurai.

If you're a large enterprise, you're in pretty good shape for the cloud: you know what kind of security you want and need, you have security staff who can validate what you're getting from the provider, and you can hold up your end of the deal – since it takes both customer and provider working together to build a complete security program. Most of the security providers out there are building for you, because that's where the money is; and they're eager to work on scaling up to meet the requirements for your big business. If you want custom security clauses in a contract, chances are, you'll get them.

But at the other end of the scale there are the cloud customers I refer to as being "below the security poverty line." These are the small shops (like your doctor's medical practice) that may not have an IT staff at all. These small businesses tend to be very dependent on third party providers, and when it comes to security, they have no way to know what they need. Do they really need DLP, a web application firewall, single sign-on, log management, and all the premium security bells and whistles? Even if you gave them a free appliance or a dedicated firewall VM, they wouldn't know what to do with it or have anyone to run it.

And when a small business has only a couple of servers in a decommissioned restroom*, the provider may be able to move them to their cloud, but it may not be able to scale a security solution down far enough to make it simple to run and cost-effective for either side. This is the great challenge today: to make cloud security both effective and affordable, both above and below 10,000 feet, no matter whether you're flying a jumbo airliner or a Cessna.

-Wendy Nather, The 451 Group

*True story. I had to run some there.

September 1, 2011

The Importance of Network Security

On Friday, April 27, 2011, I powered on my Sony Playstaton 3 and prepared to sit down for an enjoyable gaming session. As a Sony customer and a PlayStation Network (PSN) user, I expected my system to be able to connect to a service that I was told would be available. Because I had to sign an agreement to join the PSN, I expected my personal information to be secure. On that morning, I logged in and had no idea that my personal security might be at risk due to a lack of tight-knit practices and possible information redundancy.

My many years of brand loyalty held strong as I was told constantly that the PSN was down as a result of a maintenance. I understand that emergencies happen and proper planning by a professional company is in place to shorten the duration of impact. As it turned out, proper planning for this type of event seemed to have been lost on Sony. A malicious security cracker was able to infiltrate their network to gain access to numerous PSN customers' sensitive personal information. This kind of blunder had every PSN customer wondering what could be done to prevent this kind of event from happening again.

You probably noticed that I used the word "cracker" as opposed to the more common "hacker." A hacker is an extremely knowledgeable person when it comes to computers and programming who knows the ins and outs of systems ... which is completely legal. The typical misconception is that all "hackers" are engaged in illegal activity, which is not true. If the hacker decides to use these skills to circumvent security for the purpose of stealing, altering and damaging (which is obviously illegal), then the hacker becomes a cracker. To put it simply: All crackers are hackers, but not all hackers are crackers.

When I started working at SoftLayer three years ago, I was told to pay very close attention to our company's security policy. Each employee is reminded of this policy very regularly. Proper security practice is essential when dealing with private customer data, and with the advancement of technology comes the availability of even more advanced tools for cracking. As a trusted technology partner, it is our obligation to maintain the highest levels of security.

There is not a day at work that I am not reminded of this, and I completely understand why. Even at a personal level, I can imagine the detrimental consequences of having my information stolen, so multiply that by thousands of customers, and it's clear that good security practices are absolutely necessary. SoftLayer recognizes what is at stake when businesses trust us with their information, and that's one of the big reasons I'm to work here. I've gone through the hassle and stress of having to cancel credit cards due to another company's negligence, and as a result, I'm joining my team in making sure none of our customers have to go through the same thing.

-Jonathan

May 31, 2011

Bringing Home Data Center Security

Look at any time period in mankind's history, and you'll come to the undeniable conclusion that technology changes the daily lives people in any society. With the evolution of technology, our lives have gotten so much easier. Consider all the little luxuries and conveniences available now to get tasks done in the workplace and home. Unfortunately, our rapid technological advancements aren't necessarily exclusive to the "good guys" ... The "bad guys" are benefiting from new technologies as well. Crime and theft have become more sophisticated, and as a result, more technological advancement has to be pursued in security, and it's pretty remarkable to see some of the security measures and technologies put in place by companies like SoftLayer.

The day I started working here, I thought I was actually joining the CIA. I had to undergo several procedures to gain access to all the facilities: I had my photo taken and my fingerprints scanned before I registered for multiple key cards. The first job I had out of college only required its employees to have a single key card that allowed entrance through one door with access to all areas. Needless to say, it was a lot different to work in such a secure environment.

To give you an idea of what kinds of security we have at our data center, I'll walk you through my daily experience. I step into our lobby and am usually greeted by multiple security guards behind what appears to be bullet-proof glass. I have to pass a fingerprint scanner and numerous secured door checkpoints to get into the office. Every move is under the scrutiny of video cameras recording every square inch of the building. Big Brother is always watching, and for SoftLayer customers, that should be reassuring.

The facility's security reminds me of the movie Minority Report, and while those security measures may seem unnecessary or excessive, they're actually just visible evidence of SoftLayer's focus on the importance of security both online and in the physical realm.

Thinking about safety, I've also started considering heightening security at my home with a few security cameras. Some of my friends joke that this consideration is a sign of impending paranoia, but the "better safe than sorry" mantra should always be kept close to heart when it comes to protecting valuables. Apparently, I'm not alone in my home security research ... A day after writing a good portion of this article, I came to work and in the morning a coworker told me he'd recently bought a security camera with night vision for personal use. I didn't expect such a coincidence, and of course I enthusiastically replied to my coworker that I was thinking about making a similar purchase.

In closing, I'd like to ask you if you've entertained the idea of increasing security in your own home, and if so, do you have any suggestions about what equipment to purchase and features that prove useful? I doubt I'll go as far as hiring security guards and installing fingerprint scanners, but you never know!

-Danny

March 1, 2011

API Basics: REST API - "Hello World"

Learning SoftLayer's API
When I first started to look at SoftLayer's API, I favored the SOAP programming interface because I liked the strictly formatted XML responses, the good separation of concerns (using the server as proxy for data retrieval) and the increased security. All of these are great reasons to use the SOAP interface, but once I saw how easy and direct the REST interface is, I decided that I would use it as my cornerstone for learning the SoftLayer API.

REST API
Although the REST software archetype is a difficult concept to explain, its practice has become natural to those of us who use the internet daily. Imagine that the information that you want to know is saved as a web page somewhere and all you have to do is type in the URL, it will prompt you for a username and password, and you will see the information that you requested.

Authentication
Before making a request you will need to find your API authentication token. To do this, log into your customer account and click API under the Support tab. Click the "Manage API Access" link. At the bottom of the next page you will see a drop-down menu that says "Select a User" and above it a tag that says "Generate a new API access key." Select a user and click the "Generate API Key" button. You will see your username and the generated API key for that user. Copy this API key, as you'll need it to send commands SoftLayer's API.

"Hello World"
Unfortunately, there is no specific "Hello World" command in SoftLayer's API, but there are some commands that are very simple and don't require any variables, like the getObject() method. APIs are like component libraries, split into web services and methods of that service. The SLDN has a full list of SoftLayer's web services to choose from. I am going to use the getObject() method from the SoftLayer_Account service in this example:

https://api.softlayer.com/rest/v3/SoftLayer_Account.xml

  • You will be prompted for your username and API access key
  • XML data type output

https://USERNAME:PASSWORD@api.softlayer.com/rest/v3/SoftLayer_Account.json

  • Automatic authentication
  • JSON data type output

The Request
Here is the basic REST request structure:

<code>https://<u><em>username</em></u>:<u><em>API key</em></u>@api.service.softlayer.com/rest/v3/<u><em>serviceName</em></u>/<u><em>InitializationParameter</em></u>.<u><em>returnDatatype</em></u></code>
  • All requests are sent via secure transfer (https://)
  • Listing your username and API key before the URL allows for automatic HTTP authentication
  • Service and serviceName both refer to the web service you are trying to access
  • InitializationParameter is only used if the method you are calling requires an initialization Parameter
  • SoftLayer's REST API can respond with either JSON or XML data types; replace returnDatatype with the type you would like to receive.

The Data
Looking at the first link above, your browser should be able to output the response data in XML format, showing information about your account. More information about the format of the data can be found on the SLDN wiki.

REST Basics
When you start integrating this into a website you will want to get/make a function or library to handle advanced requests and to properly receive and disperse the response; I recommend using JQuery. This is the most basic example of a function call for SoftLayer's API, I hope that it will help you get a feel for the information that you will need to pass to our server and the kind of response that you will receive.

-Kevin

Subscribe to security