Posts Tagged 'Experts'

May 8, 2014

SoftLayer Security: Questions and Answers

When I talk to IBM Business Partners about SoftLayer, one of the most important topics of discussion is security. We ask businesses to trust SoftLayer with their business-critical data, so it’s important that SoftLayer’s physical and network security is as transparent and understandable as possible.

After going through the notes I’ve taken in many of these client meetings, I pulled out the ten most frequently asked questions about security, and I’ve compiled answers.

Q1: How is SoftLayer secured? What security measures does SoftLayer have in place to ensure my workloads are safe?

A: This “big picture” question is the most common security-related question I’ve heard. SoftLayer’s approach to security involves several distinct layers, so it’s tough to generalize every aspect in a single response. Here are some of the highlights:

  • SoftLayer’s security management is aligned with U.S. government standards based on NIST 800-53 framework, a catalog of security and privacy controls defined for U.S. federal government information systems. SoftLayer maintains SOC 2 Type II reporting compliance for every data center. SOC 2 reports are audits against controls covering security, availability, and process integrity. SoftLayer’s data centers are also monitored 24x7 for both network and on-site security.
  • Security is maintained through automation (less likely for human error) and audit controls. Server room access is limited to authorized employees only, and every location is protected against physical intrusion.
  • Customers can create a multi-layer security architecture to suit their needs. SoftLayer offers several on-demand server and network security devices, such as firewalls and gateway appliances.
  • SoftLayer integrates three distinct network topologies for each physical or virtual server and offers security solutions for systems, applications, and data as well. Each customer has one or many VLANs in each data center facility, and only users and servers the customer authorizes can access servers in those VLANs.
  • SoftLayer offers single-tenant resources, so customers have complete control and transparency into their servers.

Q2: Does SoftLayer destroy my data when I’ve de-provisioned a compute resource?

A: Yes. When a customer cancels any physical or virtual server, all data is erased using Department of Defense (DoD) 5220.22-m standards.

Q3: How does SoftLayer protect my servers against distributed denial of service (DDoS) attacks?

A: A SoftLayer Network Operations Center (NOC) team monitors network performance and security 24x7. Automated DDoS mitigation controls are in place should a DDoS attack occur.

It’s important to clarify here that the primary objective of this DDoS mitigation is to maintain performance integrity of the overall cloud infrastructure. With that in mind, SoftLayer can’t stop a customer from being attacked, but it can shield the customer (and any other customers in the same network) from the effects of the attack. If necessary, SoftLayer will remove the target from the public network for periods of time and null-routes incoming connections. Because of SoftLayer’s three-tiered network architecture, a customer would still have access to the targeted system via the private network.

Q4: How is communication segmented from other tenants using SoftLayer?

A: SoftLayer utilizes industry standard VLANs and switch access control lists (ACLs) to segment customer environments. Customers have the ability to add and manage their own VLANs, providing additional security even inside their own accounts. ACLs are configured to permit or deny any specified network packet (data) to be directed along a switch.

Q5: How is my data kept private? How can I confirm that SoftLayer can’t read my confidential data?

A: This question is common customers who deal with sensitive workloads such as HIPAA-protected documentation, employee records, case files, and so on.

SoftLayer customers are encouraged to deploy a gateway device (e.g. Vyatta appliance) on which they can configure encryption protocols. Because the gateway device is the first hop into SoftLayer’s network, it provides an encrypted tunnel to traverse the VLANs that reside on SoftLayer. When securing compute and storage resources, customers can deploy single tenant dedicated storage devices to establish isolated workloads, and they can even encrypt their hard drives from the OS level to protect data at rest. Encrypting the hard drive helps safeguard data even if SoftLayer were to replace a drive or something similar.

Q6: Does SoftLayer track and log customer environments?

A: Yes. SoftLayer audits and tracks all user activity in our customer portal. Some examples of what is tracked include:

  • User access, both failed and authenticated attempts (destination IP is shown on a report)
  • Compute resources users deploy or cancel
  • APIs for each call (who called the API, the API call and function, etc.)
  • Intrusion Protection and Detection services that observe traffic to customer hosts
  • Additionally, customers have root access to operating systems on their servers, so they can implement additional logging of their own.

Q7: Can I disable access to some of my users through the customer portal?

A: Yes. SoftLayer has very granular ACLs. User entitlements are segmented into different categories, including Support, Security, and Hardware. SoftLayer also gives customers the ability to limit access to public and private networks. Customers can even limit user access to specific bare metal or virtual server.

Q8: Does SoftLayer patch my operating system?

A: For unmanaged cloud servers, no. Once the updated operating system is deployed on a customer’s server, SoftLayer doesn’t touch it.

If you want help with that hands-on server administration, SoftLayer offers managed hosting. In a managed hosting environment, Technical Account Managers (TAMs) are assigned as focal points for customer requests and issues. TAMs help with reports and trending data that provide recommendations to mitigate potential issues (including OS patching).

Q9: Is SoftLayer suited to run HIPAA workloads?

A: Yes. SoftLayer has a number of customers running HIPAA workloads on both bare metal and single-tenant virtual servers. A Business Associate Agreement (BAA), signed by SoftLayer and the customers, clearly define the shared responsibilities for data security: SoftLayer is solely responsible for the security of the physical data center, along with the SoftLayer-provided infrastructure.

Q10: Can SoftLayer run government workloads? Does SoftLayer use the FISMA standards?

A: The Federal Information Security Management Act (FISMA) defines a framework for managing information security that must be followed for all federal information systems. Some state institutions don’t require FISMA, but look to cloud hosting companies to be aligned to the FIMSA guidelines.

Today, two SoftLayer data centers are audited to the FISMA standards – Dallas (DAL05) and Washington, D.C. (WDC01). Customers looking for the FISMA standard can deploy their workloads in those data centers. Future plans include having data centers that comply with more stringent FedRAMP requests.

For additional information, I highly recommend the on-demand SoftLayer Fundamentals session, “Keep safe – securing your SoftLayer virtual instance.” Also, check out Allan Tate’s Thoughts on Cloud blog, “HIPAA and cloud computing: What you need to know” for more on how SoftLayer handles HIPPA-related workloads.

-Darrel Haswell

Darrel Haswell is a Worldwide Channel Solutions Architect for SoftLayer, an IBM Company.

September 7, 2010

Who you gonna call?

I ain’t afraid of no bathtub. Or rather I wasn’t afraid of no bathtub. Seventy two hours and twelve hundred dollars ago, I wasn’t afraid of the bathtub, toilet or sink. Now I’m not so sure. What am I talking about? Perhaps I better start at the beginning.

A few weeks ago, I had a general contractor come out to my house. One of my bathrooms was in pretty bad shape and I wanted to give it a face lift. I figured it was a small job. New sink, new toilet, new tub. Splash some paint on the walls. Throw down some tiles. Viola!

The contractor, let’s call him Al, came highly recommended from a buddy of mine who recently had some work done. Al spent about 20 minutes looking at my bathroom, (which I thought was about 10 minutes too long considering we’re talking about a 6 foot by 8 foot room), and then asked if he could sit down at my kitchen table. He pulled out a number two pencil, yellow pad, and a calculator, then began scribbling.

When he was finished he passed the tablet my way, and somewhere near the bottom of the page circled a couple times for emphasis was: 6K. I don’t come from a long line of mathematical wizards, (see, but if six times eight equals forty-eight that comes out to something like $125 per square foot.

“Thanks for your time,” I said, handed Al back his notebook, and showed him to the door.

The following weekend, my son and I went up to Lowe’s. We needed some light bulbs. Well it just so happens that within rock throwing distance of the light bulbs were the bathtubs. And don’t you know once we walked in that direction, we were within eyeshot of the sinks, toilets, vanities, you get the idea.

Quickly, (okay moderately), I began adding up the raw materials in my head. Tub, sink, toilet, light fixtures, I could easily get everything I needed for about a grand. I was inspired. I’m reasonably bright, semi-competent with a hammer, and come to think of it, among other things my grandfather was a plumber for a number of years. Surely that’s the sort of thing handed down generation to generation through DNA—right?

At some point I must have gotten “that look” in my eyes because my son asked which tub we were getting, and could we hurry up please so he didn’t miss “Minute to Win It”.

As with any project, I think it’s best to break a job down into manageable chunks, and as I saw it, there were five obvious tasks at hand: the tub, the toilet, the sink, the walls, and the floor. I started with the tub, because quite frankly the idea of knocking ceramic tiles off the shower wall with a hammer sounded like a blast.

It was fun too. So much so that my son turned off the TV in the living room, opting to get a hammer of his own and help. The dog even ventured as far as the threshold to see what all the commotion was and for about twenty minutes tiles were raining down, and hammers were thwacking, and I was thinking to myself: six thousand dollars my butt—I should charge for the pleasure of demolishing my wall. That’s when I noticed an unpleasant odor.

I looked at my son, who was looking at me, and then we both turned and looked at the dog who promptly let out a whimper and ran off in search of breathable air. The odor quickly elevated itself to the title of stench and the adjective unpleasant was upgraded to down-right-nasty. At the risk of permanent blindness I poked my head into the hole where the drywall had been.

My eyes were watering and it was too dark to see. Knowing a lighter in this situation was not the way to go I sent my son for a flashlight. Even with the flashlight I could find nothing to explain the foul odor and when stuffing the holes with rags and shutting off the room failed to alleviate the level red pollution watch that rapidly spread throughout the house, my son, the dog, and myself were forced to evacuate and check into a hotel.

It took the plumber six hours at weekend rates to cap off the leak, and two more days to actually repair the problem. Including the night at the hotel, my experiment in bathroom remodeling has tallied up to just about twelve hundred dollars. And really, considering my original task break down, I’ve only completed 1/5th of the job. As I already mentioned, I don’t come from a long line of mathematical wizards, (if you missed it the first time see, but twelve hundred times five is 6K.

I guess what I’ve learned is that sometimes you have to call in the pros and just maybe extend a little trust—especially if that pro comes highly recommended. I’m a wiz when it comes to programming low-level utilities, system software, and drivers. That’s why SoftLayer hired me. But I’m no plumber.

My point is each of us has our own area of expertise. We can’t all be everything, and the same is true when it comes to a business. Whatever your business is, you are undoubtedly good at it. But take it from me you can’t be an expert at everything.

SoftLayer comes highly recommended, do a simple Google search and you’ll find customer after customer raving about our support, our reliable network, our flexible API. And we know Information Technologies inside and out. We have hardware engineers, software engineers, support engineers, and some of the most knowledgeable sales folks I’ve ever met anywhere.

Sometimes it just makes more sense to concentrate on your core competencies. The next time you require dedicated computing resources or cloud services, pick up the phone and give SoftLayer a call. You’ll be glad you did. Oh, and the next time you need a plumber, well, I have a guy for that too I can recommend these days.

Subscribe to experts