HOME / DEDICATED SERVERS / RESELLER HOSTING / MANAGED HOSTING / VPS / WEB HOSTING / COLOCATION

Hosting Company Auditing and Certification — Part 3-A of 3

In addition to Superb Internet’s ITIL staff certification (Part 1 of this three-part series) and our SSAE-16 auditing (Part 2), we are certified for the ISO 9001:2008 standard. This is the first of a two-part within a four-part series, so 3-A & 3-B is the last one (because both are on this same standard). This article (3-A) covers the first 2 sections of the standard, Sections 4 & 5, and the final one (3-B) covers the last 3 sections, Sections 6-8.

“You and your standards. You’ll never mount a 28-point buck on your wall if you don’t lower your standards to the point where you can do and say whatever you want, such as call a 3-point buck a 28-point buck.”

3-point? That’s lopsided, isn’t it? Listen, sir, again – please stop disrupting my train of thought. ISO is short for the International Organization for Standardization (that’s correct, despite the lettering flip-flop). Its goal, as stated in its initial charter created by a 25-nation delegation that met in London in 1946, is “to facilitate the international coordination and unification of industrial standards.”

“Interesting. You do realize that most meetings of folks outside America in 1946 were just an excuse for pinkos to exchange bomb-making and dirty-dancing techniques, right? Or are we reading different websites?”

Well… Unfortunately I’m busy now writing this piece, but once I’m through, I’d love to hear what kind of sultry dance moves were most prevalent during the 1940s. ISO 9001:2008, one of the standards developed and maintained by the ISO, contains parameters for a credible quality management system. Regardless of the size of a business or its industry, 9001:2008 certification is useful for demonstrating the full functionality of quality management practices within an organization.

“My quality management system involves dunking my head in a bucket of ice water when I’ve had too much to drink. Makes me feel refreshed… and very cold.”

I can imagine. It’s a good system you have, though. No one can fault you for that. Below I will review the importance and scope of the International Organization for Standardization, why 9001:2008 has significance, and further explanation of what it entails as a third-party certification method.

The ISO: Diverse Scope, Unified Mission

Since its inception, the International Organization for Standardization has created almost 20,000 standards. All its standards are voluntary. However, as with the SSAE and ITIL credentials we hold, sometimes our clients have internal rules specifying that they can only work with organizations possessing certain third-party certifications.

“I’ll show you a third-party certification. It’s called my American Nazi Party voter registration card.”

Please, please don’t ever vote, my man. The ISO streamlines business practices by placing global guidelines on how organizational systems should be administered and managed. Additionally, because the ISO has members from over 160 nations and create standards via consensus, international trade is enhanced by agreements made at the level of standardization (or so say its advocates).

“Gotcha, you con-artist! Everyone knows there are only 43 countries. Well… I guess 44 if you count Antarctica.”

You have an interesting globe. How many countries are in South America, for example? Two? Paraguay takes up half the continent? Additionally, the ISO, because it is comprised of so many nations, is able to draw on the perspectives of experts from all over the planet. The diversity of the organization’s membership allows the standards it creates not only to be objective, but also to be flexible enough to allow application across a worldwide cultural tableau.

“I’m looking for a woman who’s flexible enough to allow application across a worldwide cultural tableau.”

Thank you for sharing.

What is the ISO 9000 Family?

Here’s how 9001:2008 fits into the broader picture of the standards. A topical subgroup within which the ISO organizes standards pertaining to certain subject matter is referred to as a “family of standards.” Sample families are quality management, environmental management, country codes, food safety management, social responsibility, energy management, risk management, currency codes, and language codes. The ISO 9000 family, of which 9001:2008 is a part, covers quality management.

“Ma’am, I’d like to uncover your quality, and then I’d like to manage it.”

Wow, your mind is really in the gutter. The quality management heading for ISO 9000 denotes creating a meaningful relationship between the needs and desires of a customer and the products and services offered by an organization. Examples of some of the “siblings” of 9001:2008 include 9004:2009, which specifically covers improving the efficiency and effectiveness of a quality management system, and 19011:2011, which standardizes auditing (both in-house and third-party) of such a system.

“I once got ‘audited’ by the IRA. They were very violent. I’m lucky to have survived.”

The Irish Republican Army? Huh, well, I’m sorry that happened to you.

ISO 9001:2008 – Section 4: “General Requirements”

Let’s take a look at the individual sections of the standard. The standard has 5 sections that run from “Section 4” to “Section 8.” They cover, in order, General Requirements, Management Requirements, Resource Requirements, Realization Requirements, and Remedial Requirements.

“I require that you stand at the other end of the shooting range during target practice.”

That’s not a very nice thing to say. Section 4 covers the following:

1.    Development of the Quality Management System (QMS) – Section 4.1 is kind of an overview. It includes doing the following with the QMS:

• Establishment
• Documentation
• Implementation
• Maintenance
• Improvement.

It also introduces the idea of basing the QMS in a process model – such as the PDCA (Plan/Do/Check/Act) Cycle – to allow for constant adaptation.

2.    Documentation of the QMS – Section 4.2 deals with documents in the following ways:

• Ensure that the paperwork is related to what your business does, that it’s properly customized to your culture and industry.
• Specifically it’s advised to create a manual that has to do with quality; it should be regularly reviewed/revised.
• Place proper controls on this paperwork. This applies both to documents and records (below).
• Records need to also be created and controlled. These records are data and information (aka inputs) related to quality over time — as opposed to general overview, descriptive, and policy statements made in the manual.

“I never met a man I respected who didn’t know how to control his records. Loved every one I met who could. Like Metallica once said, ‘Nothing else matters.’”

That’s an interesting perspective. Thanks for the Metallica reference. That’s helpful.

ISO 9001:2008 – Section 5: “Management Requirements”

Section 5 is the requirements for management. To be clear, this relates to managing the QMS; however, the individual in charge should also be someone within the management of the company (see #5 below). An overview of this section:

1.    Dedication to Quality – Section 5.1 has to do with the following efforts related to integrating a prioritized attitude toward quality into your company via support:

• Make sure it’s easy for the system to be created and developed.
• Make sure it’s easy for it to be put into place, to be implemented.
• Also ensure that you can easily make modifications and improvements to the QMS.

2.    Customer Focus – You heard it here first: the customer is always right. Section 5.2 deals with maintaining a customer-centered perspective in these two ways:

• Identification of their concerns. Find out what your customers want.
• Meet their concerns. Don’t turn customer concerns away at the door. Ensure that all needs are being properly addressed.

3.    Quality Policy – 5.3 addresses specifics of how to manage and maintain your internal quality policy in the following ways:

• It should be functional and clear about the requirements.
• It should express improvement processes and dedication to evolution.
• Your quality policy should directly reflect your objectives (below).
• Make sure that the policy is disseminated and fluidly open to suggestions from everyone in your organization.
• Perform regular reviews, and revise as needed.

4.    Proper Planning – Make sure plans are in place to allow the QMS to grow and thrive methodically, per Section 5.4, as follows:

• Support, create, and ensure the functionality of quality objectives, so you know what you’re trying to achieve.
• Plan to create the QMS, document it, and put it into place, as well as to perform regular upkeep and modifications.

5.    Who Does What – Section 5.5 mandates determining the roles and responsibilities for quality within your organization … like so:

• Make sure it’s clear who’s in charge of what, as well as what exactly the designated individuals need to do within their roles.
• Everyone in the organization should who know these designees are.
• An executive in your organization should be ultimately in charge of the QMS.
• You should have a framework in place to allow and encourage internal dialogue about the QMS.

6.    Regular Reviews – Section 5.6 relates to reviews of the QMS:

• Perform reviews at reasonable intervals. Look at opportunities for improvements. Keep records.
• Look at and study your QMS inputs (information/records).
• Create outputs. In other words, you need takeaways from these reviews. What did you learn? Also determine what resources are needed moving forward.

“9/11 was an inside job!”

Sir …

“You’re the one using bullets! You’re a hypocrite.”

OK …

Summary & Conclusion

These standards are important to us at Superb Internet. They allow us to demonstrate both our commitment to standards established by the international community and our ability to actually meet those standards. We are, after all, certified in ISO 9001:2008.

So far, we have covered general and management requirements. Essentially, you need to create a sustainable system, take it seriously, make it adaptive, and enhance communication; doing so will ensure it is an organic, flexible, organization-wide team effort. Assign roles and responsibilities. Collect data, analyze it, and document your takeaways. Ensure that there are always outputs to correspond to the inputs (data and info) flowing through the QMS.

We have three sections left, which will be covered in the final part of this series, 3-B: resources, realization, and remediation. OK I’m through. Let’s get to those sultry dance moves, buddy: I can handle the truth.

by Kent Roberts and Richard Norwood

Hosting Company Auditing and Certification — Part 2 of 3

Along with Superb Internet’s staff certification for ITIL (covered in Part 1 of this series) and our ISO 9001:2008 certification and registration (Part 3), we are also SSAE-16 Audited.

“Oh, fiddlesticks, that’s a government-infiltration agenda if I ever saw one.”

Man – you again? OK, well, let me explain it. Just, give me a chance here. SSAE-16 (Statement on Standards of Attestation Engagements, #16) was created by the American Institute of Certified Public Accountants (AICPA) as a system of cut-and-dry standards which a business must follow with its finances.

“Must follow. Must follow the lemmings down to Mongoose Hollow.”

Mongoose Hollow … huh, that must be your euphemism for the IRS? Anywho, attestation engagements are worth a quick look. Let’s turn to the U.S. Government Accountability Office (GAO), a governmental agency run by the Comptroller General that “works for congress” (though with its own independent sets of controls) and “investigates how the federal government spends taxpayer dollars.”  According to its Auditing Standard 2.07, attestation engagements “concern examining, reviewing, or performing agreed-upon procedures on a subject matter or an assertion about a subject matter and reporting on the results.”

“Yeah boy!”

Um … I’ll move on. SSAE is extraordinarily difficult to understand – not because its parameters are difficult but because the only explanation of SSAE-16 on the website for the AICPA is at this URL: http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx.

“You and your capital letters and your big ideas, typing it all in, like the Central Insanity Agency ain’t watching ya.”

Sir, I’m just explaining an accounting method. So … the information from the organization that created the document itself has all information about it BURIED within its website. Additionally, the extent of the information is a massive PDF which includes the language for the standard itself and this explanation describing it: “Reporting on Controls at a Service Organization / This section addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.”

“Read that fourteen times, and it will finally make sense. Once it makes sense, that’s when you know they’ve got ya.”

Well, all right they have me. You win, buddy. Actually it’s much simpler than it sounds. Let’s look below on how to understand SSAE-16 so you know why it means we’re credible alongside our other certifications. We will look at the two types of certifications/reports you can receive. Finally, we will look at critiques to get a broader perspective on the topic – and how it differs from other financial audits.

SSAE-16 in Action

When you get SSAE-16 audited, a third party accounting company makes an assessment of the financial controls your business has in place. It then creates a report and opinion stating the findings of its investigation. The results of the audit make it clear whether or not the business has appropriate, baseline checks and balances in place within its service model so that users can breathe easy.

“I will never allow any man to investigate my machines. It’s unwholesome. Bunch of fellas looking at each other’s numbers.”

All right, that’s uncalled for. And who said it was a man, anyway? Please stop making assumptions. There are two kinds of audit reports. One, also referred to as a Type I audit, is entitled “Report on Controls Placed in Operation.” The other, the Type II version, is called “Report on Controls Placed in Operation and Tests of Operating Effectiveness.” Essentially the first report focuses on the types of controls that are likely operating during a certain window, aka “period of review” – but it does not completely verify that the controls were in placement at that time. The second provides that additional verification that the controls were in place.

“No one will ever either view or review me. That’s why I stay in my cellar with the squirrel artillery, waiting for everyone to leave town.”

Hm. Thanks for the input.

Do You Need SSAE-16 or Not?

The good news: this type of auditing is not legally required for any company that distributes a service. However, it’s possible it will be requested by an outside party – or may even be demanded by their own requirements – or by someone auditing a company that is using your service. Plus, it means it’s less likely that an outside auditor will need to audit your system in order to gauge risk because they will have a standardized assessment of your controls based on the SSAE Type II report.

“Type I, Type II – sounds like they’ve found yet another way to get diabetes into us: through our accountants.”

I don’t think this has anything to do with diabetes, sir. Like many organizations, the reason we choose to have this type of auditing performed is threefold:

1. It gives us a chance to prove that, alongside our other certifications, we meet standards of legitimacy established by independent third parties.
2. It gives us access to clients who require this type of auditing and otherwise may not be able to work with us.
3. It provides another professional perspective on the accounting principles we have established internally.

“That sounds wonderful. Give the government all your business’s numbers, the keys to your house, and your eldest daughter.”\

Sir, that’s out of line. I’m just trying to go over some standards here. Please. A data center that is only used for internal business purposes will not necessarily need to have this type of auditing performed. However, those such as ours that provide a service can benefit from SSAE certification.

As Jeff Clark points out, SSAE-16, rather than being about your core business of the service itself – delivery of services to users –is centrally concerned with the financial needs of your clients. Keep that in mind. It’s why something such as ITIL, which has to do with the quality of service, is so important.

SSAE-16 Case Study: Acquia

Josette Rigsby looked specifically at one company, Acquia, a provider of products and services for use with Drupal (the open-source CMS), to get a sense of whether SSAE auditing can be helpful. She asked how the certification might be useful to vendors seeking to establish credibility.

“I sold cotton candy once at the state fair: no certification, no problem. Cash only. No receipts.”

Sir, we are talking about business services here, not cotton candy. A company such as Acquia, which has a cloud-based model, is able to quell fears among clients related to “security, lack of open standards to prevent platform/vendor lock-in and loosely defined service level agreements.” SSAE-16, however, does not cover all the bases to ensure business legitimacy. Additionally to SSAE, Acquia and other cloud service providers (CSPs) adopt the standards of organization such as OpenStack or CloudStack so that their system has been reviewed by external independent parties coming from numerous angles. Our business, similarly, has the ITIL and ISO certifications as well.

“My show pig Julie once won a certification at the Clarksburg Leaf & Stick Festival. She keeps it on her end table. She’s very proud of it.”

Excellent, tell her I’m rooting for her, and I hope she’ll root for me too.

Beyond SSAE: Why Multiple Certifications Matter

The controls reviewed by SSAE relate to a broad spectrum of business practices, including data backup and security, network maintenance and security, and customer support. However, it is not enough. Let’s see what two critics of the auditing procedure have to say about why the certification is only one piece of establishing legitimacy.

1. Baseline Standards – As Jeff Clark notes, SSAE-16 auditing does not grade on a scale. It’s a “yes or no” set of parameters. Passing the auditing inspection simply means that a company has a reasonable set of baseline standards as established by the AICPA.
2. Fuzzy Terminology – Josette Rigsby points out that a business can state during a review that its controls are fine regardless of the auditing process’s findings. If this occurs, the business can state that it has been SSAE audited even though it did not actually pass.

“I just passed gas, does that count? Where’s my certificate, buckaroo?”

Ah come on. We’re in a small room – have some respect. A loophole like that described by Ms. Rigsby means that additional certifications are essential to give clients and partners a better sense of your professional legitimacy. As far as Superb goes, our staff is ITIL Certified (a certification established initially by the United Kingdom government to provide IT standards so that they weren’t only developing independently, in some cases haphazardly, within businesses) as well as ISO 9001:2008 certified and registered.

“Wow, that last one has eight numbers. It must be important. Seven numbers, I would have said, ‘How about one more? Then you’ll have me impressed.’”

I think we’ve covered the fact that you don’t like or appreciate our certifications, sir. Here, have some chamomile tea.

How SSAE-16 Differs from Other Financial Auditing

If you get an audit, you’re typically just looking at your financial figures. SSAE focuses explicitly on how those figures relate to your services – how the services themselves are controlled and guided, and how the services interact with your financial system. An audit can give a sense that your financial system and finances themselves are efficient and sound, but that’s not your clients’ concern. The client cares that you have assurance specifically to your services, so they know that their information and processes are safe within your set of controls.

“I feel very safe. Hm. This tea is delicious. Do you have any honey? I don’t want to have to shake it out of the beehive again, that’s painful.”

Here you go. Drink up.

Summary & Conclusion

Though there are of course critics of SSAE-16, and though some of their concerns are valid, these types of certifications are incredibly important to letting our users know we are transparent about our internal policies. The standards we have adopted, and the analyses and examinations we undergo, allow us to simply and concisely express to our customers that

1. we meet major industry standards; and
2. we have undergone the scrutiny of multiple outside organizations to prove it.

by Kent Roberts and Richard Norwood

With the explosive launch of the world’s mobile networks we were facing the prospect of imminent IP address exhaustion. Yes there were only so many IP addresses created and allocated to hosts, and Internet service providers. The long term solution to  address IP address depletion became a serious concern. What was needed was an IP address architecture that could span not just billions of connected devices but hundreds of billions of devices or more. Out of this effort came version 6 of the Internet Protocol, or IPv6.

A Primer on IPv4, IPv6 and Transition

From www.circleid.com – 3 weeks ago

There is something badly broken in today’s Internet. At first blush that may sound like a contradiction in terms. After all, the Internet is a modern day technical marvel.

Juliana Payson‘s insight:

I need a few days to absorb the information in this article. It’s extensive, not so much a primer, but a very in-depth article about the way the internet stands to date in terms of size and transition to the new IPv6.

How and Why All Devices in Your Home Share One IP Address

From Tech go simple – Today
If you’re like most people, your Internet service provider hands you a single Internet Protocol address and your router shares it amongst all the connected devices in your home. This actually violates the end-to-end principle, which the Internet was designed around. However, there are only so many IP addresses to go around – we’re running out.

Juliana Payson‘s insight:

There are less than 4.2 billion available IPv4 IP addresses. In other words, there are more people owning connected devices on the planet than there are unique, public IP addresses for the devices, let alone the fact that many people will own more than one device. The Internet is running out of IPv4 addresses, even though we’re rationing them. The only way we can have so many devices connected to the internet is to do with something called NAT.

In the following article, using a bit of technical ingenuity a sysadmin demonstrates how he can use his android phone as a connection to the internet for several devices routed through his Linux laptop.

Setting up NAT and MASQUERADE for sharing USB Tether connection over LAN

From tuxdna.wordpress.com – Yesterday

I the only source of Internet connection I have currently is my phone. I wanted to share this network with other systems, via a LAN/wireless router. So here is a basic setup: Android Phone with USB…

Juliana Payson‘s insight:

The Laptop, becomes a default gateway for rest of the machines connected to the router – his phone. Given the recent Syrian internet cut off ingenius skills like these may come in handy for those with difficult internet connections. Let me know if you’ve also tried using your phone as a hotspot for the internet. - Juliana

Hosting Company Auditing and Certification — Part 1 of 3

At Superb, we have a staff that is certified in ITIL.

“So, what? What is it? Tell me what it is!”

Just hold on, hold on, whoever you are. Let me get through the introduction. ITIL stands for Information Technology Infrastructure Library http://www.itil-officialsite.com/WhatisITIL.aspx. It’s used by organizations as large and different as NASA and Disney. Providers who help implement accreditation and consulting for ITIL include IBM and Hewlett Packard.

“Whoop-de-do.”

Sir, please, no heckling. All right, let’s get to it. The man we’ve all been waiting for – well, not really a man, or a woman, but a thing – the Information Technology Infrastructure Library in all its glory. This is gonna be fun.

History of ITIL

“Hey, hey you, with the book-smarts and the highfalutin ideas. You ain’t from around here, are ya? I can tell by all the words and pages and … dag-nabbit, that’s a Europe accent ain’t it? Ooh-ee, I was wondering what was smellin’ so bad around here.”

Calm down sir, and behave yourself. Yes, it’s true: ITIL originated in the United Kingdom. The Central Computer Telecommunications Agency (CCTA), a department of the UK government, came up with a set of standards in the 1980s. These standards were not considered a set of rules but recommendations.

The original reasoning behind ITIL, then, was to offer companies a way to be held accountable and to help improvement IT management for the benefit of businesses, partners, and clients. It offered a freely given set of best management practices for IT so that those practices weren’t just growing independently within private businesses – a central knowledge base and certification process seemed desirable. The end goal was that service was improved as the IT management system was improved.

“Ohhh … I get it. Some kind of government takeover of our minds. I knew it! I knew it! Anytime I see a bunch of capital letters in a row, I go get ready for a shotgun wedding, because I know there are some squirrely men in town.”

Now that’s just not fair, sir. The IT Infrastructure Library was initially issued as a series of books. Each one focused on a different “best practice” area. The basis of the books may have been W. Edwards Deming (no, not the inventor of the modern toilet brush – that’s William C. Schopp … completely different names really), whose plan-do-check-act cycle is a version of organizational modeling for businesses – or any organization or person, really – to use to optimize their systems (discussed below).

ITIL Version 3, released in 2011, is now the standard for any type of ITIL accreditation. ITIL covers a broad range of IT topics, but generally speaking, the service-oriented knowledge is what’s of most interest to businesses, as opposed to application and management focused materials that have also been developed within the ITIL model.

It’s also important to note that ITIL itself does not give out accreditations. All it is is a government-developed system of recommendations that you can either follow or not – up to you. You can, however, become ITIL certified by any of a number of examination organizations that ARE vetted by the HM government via its partner the APM Group.

“HM, as in ‘Her Majesty’?? What, now I’m bowing down to the queen? Can I at least be knighted while I’m on my knees, like Dubya’s dad was?”

Well, uh … you might want to read this article. Also, I don’t think you’re qualified to be knighted, sir, unfortunately, but I’ll see what I can do.

Plan-Do-Check-Act (aka PDCA) Cycle

Let’s look briefly at Plan-Do-Check-Act, so we get a sense of the basic philosophy behind ITIL or at least something with a lot of similarities to its theoretical basis, so we know why it’s so damn awesome.

OK, so the Plan-Do-Check-Act (PDCA) cycle is also called the Deming cycle (after Deming, above) or the Shewhart cycle (after Walter Shewhart). It’s a way to model an organization or a piece of an organization that allows for continuous improvement. It consists of course of four steps, but those steps keep continuing, cycling through repeatedly. There’s nothing mandatory about it, it’s just a system you can potentially use if you like.

“Oh, like Driver’s Licenses, I get it. They want my numbers.”

No, it’s nothing like Driver’s Licenses. Come on buddy. With the PDCA cycle model, you do the following:

1. Plan – The plan is, simply put, the activity of getting ready for a change in the organization. Note: The change is by trial, so it won’t have to be correct.
2. Do – Do involves taking a small sampling and seeing if the planned change improves things. Think of test-marketing or beta-testing – but this system also applies internally.
3. Check – This step is essentially analysis. Does it work, or not? The analysis is very important – if the analysis is rigorous and refined, you’re golden. This step is the easiest place for corruption, so Checking must be performed carefully.
4. Act – Go for it. Didn’t work? Start over with planning again.

Note how similar this system is to the scientific method – testing hypotheses (Do) and reviewing outcomes (Check) to determine if your objective (Plan) is correct. It essentially is the scientific method put into different words. Again, the Checking is crucial – it’s easy to think something works or trick oneself into thinking something works that doesn’t.

“Trickery from the state of Mississippi! They all want to build highways to the moon!”

Again sir, you’re making less sense all the time. Remember, this process we’re focusing on is ITIL, which comes out of the UK, not Missisippi. We don’t need your input. I’m not quite sure why you’re a part of the article.

“So it ain’t one-sided, you 1s and 0s bookworm!”

Right, gotcha. Hm, you understand binary … uh, let’s move on.

5 Goals of ITIL

ITIL today – vs. its past broad approach toward service, applications, and management as discussed above – is focused squarely on service and the management of service. ITIL calls itself “practical” and “no-nonsense” – so it’s an organizational IT cycle you can use that has a lot in common with wrinkle-free slacks. ITIL is intended to encompass the way that IT departments and IT professionals go about business.

“Encompass. Sounds like the Eye of Providence on the one-dollar bill to me, staring at me like a cackling witch.”

Uh … no comment. For us at Superb, having an IT staff who knows ITIL parameters means we can know that both our management and support teams are part of a structure that allows our IT services to be truly “Superb.”

Where’d the guy go with his snappy comments?

“I’m fishing.”

Oh, well … all right. ITIL is not one-size-fits-all: it’s an adaptable set of principles. You can customize it to your business. So the theory and principles are what’s important within the ITIL perspective. Application of ITIL will always be a little different depending who’s using it and the setting in which it’s used. The core of ITIL, though, is adaptation and improvement as a continuous cycle, as described above.

ITIL addresses the following through its five modules that comprise the ITIL v3 Service Management framework:

1. Needs/Requirements – This helps a business identify the “demand” for certain IT specifications. (Analogous to Plan of PDCA)
2. Design & Implementation – This is of course where design, development, and similarly active problem-solving come into play. (Analogous to Do of PDCA)
3. Operation – Next you’re putting all the pieces into play. This is the second part of actual systemic testing. (Analogous to Plan of PDCA – Part 2)
4. Monitoring – Here’s where the analysis comes in. A lens is focused on whatever aspect of the organization is attempting change: “Is it working?” (Analogous to Check of PDCA)
5. Improvement – Well, this is the goal. Based on monitoring, either the organization has improved or it’s back to square 1. That’s not a bad thing. It’s crossing out something that didn’t work. Sometimes service management, like anything, is about process of elimination. (Analogous to Act of PDCA)

“Shhh. You’re scaring away the … whatever kind of fish these are.”

That’s a very algae-infested pond you’re fishing in, sir.

“You and your ‘sanitation.’ I bathe when it rains, as does this pond.”

Why ITIL? 5 Reasons

Here are a few of the positive results that can arise from implementation of ITIL certification:

1. Efficiency: Better, streamlined, more efficient IT service.
2. Cost: Lowering the expenses of IT departments and the overall business.
3. Customer Experience: Customers have a better experience – because the system “works” coherently so that everything makes sense to all parties involved.
4. Productivity: The business becomes more productive before there are fewer snags preventing evolution to changes in the business and the market.
5. Employee Optimization: Positive employee attributes – skills and experience – are put to better use. This process allows individuals to flow into the most appropriate positions and tasks.
6. Partner Servicing: Better delivery of any services that are issued by a company outside the organization. This improvement is felt both by the business itself and by its partners. It’s especially applicable in the case of hosting, since that’s a service so integrally connected to its clients’ own businesses.

“In case you’re wondering, I’m taking a nap now. That’s why I’m … you know, it’s sunny out here. So I’m asleep in the hot sun.”

OK … thanks. Goodnight.

Summary & Conclusion

ITIL is part of a general picture for us at Superb Internet. We have a few other auditing and certification standards that help our business have the kind of credibility we want but that also help us see where we can do a better job. We take these standards very seriously.

ITIL itself has adapted considerably since the 80s (which is a good thing!), but it’s still fundamentally concerned with Planning, Doing, Checking, and Acting. In its own terms, ITIL allows a business to Identify needs; Design, Implement, and Operate potential solutions; Monitor the results; and Improve. All of this is a perpetual cycle, allowing the business to grow stronger for itself and its clients over the long haul.

by Kent Roberts and Richard Norwood

Often hear the Acronym IP address thrown around? SEO people seem to use it (Search Engine Optimization) as though it’s a numeric stealth ID number to track you down. Well, it’s kinda like that. Here’s a few very recent, and very good takeaways on what an IP address is, and more importantly, how it affects you, or how you can use it to your advantage.

How Public WAN IP works

From wirelessvictory.wordpress.com – 1 week ago

When you are connected to the Internet, you actually have two different IP addresses, a private LAN IP and a public WAN IP. In most home network applications the router connects your local group of devices…

Juliana Payson‘s insight:

The router usually assigns unique local IP addresses to all of the devices connected to it via a service known as DHCP. The addresses assigned by your router are private addresses and are not routable across the Internet. Whilst you may be confused or sick of reading yet more acronyms, this article by Wireless Victory is an important foundation of definitions in today’s consumption of all things wireless. Most people probably don’t even realize they have a LAN (Local area network) at home connected by their Wireless Router.  It’s likely that all your family phones are connected as devices, including your iPad, your Digital television, your Wireless Printer, and your Blu-Ray, or Set-top-box digital receiver…

Here’s how to take control of your privacy:

How to Change Your Router’s IP Address | Wireless Home Networking

From blog.laptopmag.com – 1 week ago

By changing your router’s IP address you can give your home network an added layer of Wi-Fi security.

Juliana Payson‘s insight:

You’ll want to change one or both of the last two numbers of the IP address in the LAN IP Address field. You can use any integer between 1 and 254, giving you 64,516 possible IP combinations and making it much more difficult for someone to guess your router’s IP address. Why is this important? Well you’ve often heard people hijacking your bandwidth from your ISP, or grabbing cookies that store your login information. By changing your router’s IP address from something that was allocated or generated, you’ve increased the hassle for someone to break through.

SafeIP Hides Your IP Address for Private Browsing, Blocked Media

From lifehacker.com – 7 hours ago

Windows: If you want access to streaming media restricted by your location, web sites that display differently depending on where you are, or just a little privacy, SafeIP can help.

Juliana Payson‘s insight:

SafeIP has IP addresses in ten locations, including multiple servers in the US and the UK, and a handful of locations in places like Hong Kong, the Netherlands, Canada, Austria, Poland, Italy, Germany, and France. Conversely where your IP address identifies your location, you may want to piggyback on a proxy server to cloak your location. Now this is not as nefarious as it sounds. Quite often if you are travelling and this will alert your banking logins to multiple locations, you might want to reduce chances of lockout by setting up expected default proxy locations for you to check in from.

Now, every device has an IP address, it so that we can have end points for sending data when we trigger requests. Your website has an IP address, because it’s located on one server. Your phones, and laptops will have a different class of IP address also.

I hope this collection of recent articles helped you tackle your understanding of IP addresses, let me know if you have more questions you want followed up on in the comments below. - Juliana

If you’re a heavy user of the File Transfer Protocol (FTP), for example more than once a week and more likely on a daily basis, then how do you go about choosing your FTP client?

I’ve pulled up three very recent articles today on the most up to date rollouts and feature sets of FTP clients, hopefully that can help you determine which one suits your needs best. Whether you are a Mac OS user, a light user like myself, or a heavy user  familiar with Linux/Unix Command Line code.

FileZilla 3.7.0 improves FTP performance

From betanews.com – Today’s news

Open-source FTP client FileZilla 3.7.0 and FileZilla Portable 3.7.0 have both been released. The new build now allows users to view the total transfer speed as a tooltip over the transfer indicators, and replaces the depreciated term SSL with TLS.

Juliana Payson‘s insight:

There are a lot of FTP Client Programs available to choose from for you to Transfer files, but one that stands out of the Crowd is “FileZilla” which is an FTP client that works on any operating system. It was started as a computer science project by Tim Kosse and two classmates. They decided to release the code for the public use, and they licensed it. There have been minor updates to the software today that improve it’s security. Continuous rollouts like this I’ve noticed from Filezilla make it a big choice of comfort for users like myself who probably use FTP clients no more than once a week.

If you’re looking for something a little more in-browser friendly, since you may already be maxing out processor usage with high tech desktop client software, then maybe FireFTP is the client for you.

FireFTP is a Powerful Firefox FTP Client You Can Use in Your Browser

From www.makeuseof.com – 3 days ago

If you’ve ever done any sort of web management, then you’ve probably used FTP at some point or another. Most web hosts will have a primitive file uploader than you can use straight from your browser, but those are often a pain in the butt to use.

Juliana Payson‘s insight:
FireFTP doesn’t skimp on its feature set, which makes it a strong and viable alternative to other clients like WinSCP and FileZilla.

I used to be a big user of Firefox, and am also now inclined to use more cloud hosted software that can run from my browser opening up more of my laborsome laptop to more serious software applications. This seems like a great idea to me, except that I haven’t yet found a viable alternative for users that have switched over to Chrome. Please let me know if you find one!

In the meantime, here’s some awesome tips for Mac OS users:

Options for file sharing via SSH in OS X

From reviews.cnet.com – 10 months ago

Apple’s Remote Login feature in OS X can be used for securely transferring files using several protocols. Read this article by Topher Kessler on CNET.

Juliana Payson‘s insight:

Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. Topher presents a handy guide with screenshots to show you how you can access your server through the SFTP protocol. As with the SFTP protocol, using the command line to establish the connection may be cumbersome, but fortunately there is a tool called “Macfusion” available that can be used to store common server settings

Please point me in the direction of your favorite FTP clients in the comments below. - Juliana

FTP (File Transfer Protocol) clients are standard parts of many web hosting packages. We even have them in ours. Host services include FTP because people are looking for it – but it’s not necessarily the best tool to use for your site. The reason it’s a questionable protocol is simple, as is switching to a replacement solution, SFTP (Secure File Transfer Protocol). All this will be discussed below.

For this article, I looked at various pieces from around the web, including “Why You Need to Stop Using FTP” from JBDFu.com, “Security Issues in FTP” from raditha.com, “FTP, SFTP and FTP/S” from InformIT, and “Backdoor (computing)” from Wikipedia.

FTP is not all bad. It is built on TCP, so it checks for errors and monitors for integrity. However, the basic problem with FTP is that it does not have the same security as SFTP does. We spoke similarly, in a recent blog post, about SSH (Secure Shell), another way to interact between machines securely. It’s common sense that choosing less secure methods to communicate and transmit data is suspect … well, depending what you’re doing.

FTP has good company in sending data out in the open. Other protocols that send unencrypted data are POP, IMAP, and Jabber. All things equal, though, secured is better than unsecured, right? After all, regardless if or how someone might use your data, isn’t there a creepiness factor about someone looking at your stuff?

Speaking of your “stuff,” maybe this is a good way to put it: Sure, leave your windows and blinds open sometimes if you like. But when the real gets real, when you’re having a private conversation with your divorce lawyer or making babies with your wife (hopefully in the reverse order) and all your “stuff” is out in the open, secure the perimeter. Simply put, FTP is peeping-Tom friendly, and SFTP is not.

What FTP Has in Common with Telnet

OK, the JBDFu.com gives a pretty clear understanding of why straight-up FTP is not preferable. It was invented in the early 70s. Oh, the 70s. They were a blissful time, when all we had to worry about was … our clothes and how we were painting our walls and designing our homes and buildings. We didn’t have any time to think there might be kill-bots trying to steal all our information and our souls if we freely streamed data between two points. Passwords, anyone? Who gives a s%$&, nobody wants it.

OK, so quick review of Telnet entitled

Telnet: A Magical Program that You are Bound to Love Forever!! Hurray for Telnet!!

OK well, I don’t know what the point of the title is, but Telnet … [sound of my throat clearing] Telnet is thirty years old. It’s outdated. It has the same unsecured problem that FTP does. Let’s talk about the unsecured issue within FTP in further detail.

Enter SSH

OK, so Telnet, mid 70s, no encryption. In the mid-1990s, people started switching over to SSH (Secure Shell). In other words, Telnet was recognized as being an inferior technology, and we moved on. Somehow FTP has stuck. It’s an established standard. There are tutorials all over the place telling us to use an FTP client to do such-and-such. Ideally, we don’t want to transfer or access files with FTP, though, because it has the same issues as Telnet re: security.

“Use an FTP client to do this.” “Use an FTP client to do that.” Everybody’s saying it to us all the time. It’s not an accident. You know why? Do you? Really, you do? I doubt you do. Are you sure? You think you know why? You do? Hm, we seem to be talking in circles. Lean your head toward me so I can whisper it to you in case a military surveillance aircraft flies by. “I often use this technique to allow me to whisper to people. It’s a really disgusting habit.” You heard it here first.

What’s wrong with FTP? It means well.

Basic issues with FTP:

• Passwords 4 Free: It doesn’t encrypt passwords during transmission. What’s the point of a password if it’s not encrypted for transit? Seems kinda pointless. Like you lock the door and then leave your key under the mat. The protocol only allows the server to process login details as plain text. Partially due to this, the root account of a server typically is not usable for FTP or Telnet (which, again, has the same issues).
• Data Free-for-All: Data transmission is not encrypted. Now, this does not necessarily matter, but be aware at all times that it’s easy for people to see what you’re doing. FTP should feel like a public rather than a private place. Also, since FTP is often used to upload files to web servers, getting into your account isn’t just a matter of reading it, as when someone gets into your email account. Access means they can change your website. Nobody wants “Bobby Lou Was Here” scrawled across the top of their website (except for Bobby Lou, that is).
• Open the Hack Door: FTP servers that are publicly available have had hackers change the code and create backdoors (which are intrusions that allow an outsider to enter a server unnoticed and often involve implantation of software for spying purposes). Backdoors are often not found for lengthy periods of time – years sometimes.
• We Have Bug Problems: Some of the more commonly used FTP servers have reputations for being buggy.
• Um … This is Hard: An additional port is needed to perform transfers. This structure makes port forwarding and firewall admin more difficult, and those two components are crucial to increasing the speed so FTP isn’t sluggish.
• Don’t Destroy the Evidence: Login details are stored in files on the client’s hard drive, unencrypted, in plain text. In other words, login details aren’t just unsecure during transit. They’re part of a paper trail that is automatically backed up on your computer.

Example Scenario

So as described above, everything passes through via FTP as clear text. That includes all the login credentials, and that’s the most glaring issue. However, downloading of files presents additional problems. You can’t ever really know if an ecommerce site is safe with your information, for example.

So, picture this, my friend: You go in to buy a product on a small website, such as a large blue vase with an image of naked men wrestling (which you’ll tell your wife you purchased purely for aesthetic purposes). They have a high-quality SSL certificate, maybe even an EV (“extended validation,” green bar) one. You think you’re fine. Input your credit card details. OK transfer successful, via SSL. You’re good. Then an administrator for the site pulls all the billing info from the site using an FTP client.

In other words, FTP can cause problems even when someone has safely transmitted their data to you. It’s not just about the client’s card information. It represents the potential for holes in your system. Swiss cheese is delicious, but I don’t trust it either.

Alternatives to FTP: Following Protocols

OK so again, FTP is not without its merits but it does not have the security we want for our passwords and much of the data we upload and download onto our website or network. Here are a few alternatives:

FTP/S: This is not SFTP. It provides secure authentication (integrity re: login credentials) and can also secure data transfer, both via SSL encryption. This protocol is not very popular because, as its name kind of suggests, it involves taking FTP and adding an SSL to the equation. In that sense, FTP is to FTP/S as HTTP is to HTTPS, loosely speaking.

You need an SSL certificate, which means you either have to create one yourself and get it set up correctly or buy one to use. It’s just a little annoying and can bear a small expense. It’s also not as easy to set up as some of the other methods are.

SFTP: OK, so let’s look at our winner. SFTP is probably the best alternative to FTP for four reasons.

1. Secure Shell foundation: SFTP can be tied – optionally – into SSH, which is widely used and trusted for data encryption and transmission.
2. Yes, it is a popularity contest: Because SFTP is popular, it’s easy to find free software that’s compatible with your OS.
3. No sweat: Easy to operate and maintain. Typically you can have an SSH server  double as an SFTP server. SSH installation is quick too.
4. Use of keys: With keys, everything is automated. The whole interaction is encrypted from beginning to end.

SCP: SCP, also known as Secure Copy, is similar in some ways to SFTP: it allows secure copying/transferring of files. SFTP can use SSH, but it is not reliant on that protocol; SCP, however, is reliant on and tied to SSH. SCP can be used for a number of different functions, including system tasks. SCP is more of a security concern – specifically because of its capabilities. The safest way to transfer files, then, is SFTP. Working with shell accounts, however, can be accomplished with either SFTP or SCP.

TP: Toilet paper is typically not recommended for secure connections. It should be kept in the bathroom where it belongs. Toilet paper should not be jammed into a server. It should not be turned into digital software and used to wipe a backdoor. One reason TP does not work well as a secure file-transfer protocol is that it is made out of tissue rather than code, so it doesn’t contain any encryption. Also, sometimes you run out. While you’re driving to the store to get more, you’ve opened the window for malicious entry.

Summary & Conclusion

So, SFTP: Think about it people. Make it happen. Remember, even if the particular data or files you’re working with at a given time are not sensitive, your password itself can easily be stolen using FTP. That means it’s never secure for sensitive situations. If you have any further thoughts or advice related to this, please comment below.

by Kent Roberts and Richard Norwood

How many of you are still confused by the terminology SSH, aka Secure Shell? Today I’ll point you in the direction of some commentators with either hands-on experience or theoretical understanding to discuss it in different ways, with the hopes that one of the methods of explanation will stick for each of us.

Authorized SSH Access

From rabbitbytes.wordpress.com – 2 weeks ago

Also known as remote SSH access without passwords, Secure Shell (SSH) and it’s related utilities (SCP, slogin) should be used whenever possible to provide encrypted data communications.

The owner of the Rabbit Bytes blog is a Systems Administrator for a Linux server. He goes into great detail here with excerpts of command line code in a step by step guide that will help you set up a password-free (that’s what SSH is) access to your Linux server. Basically SSH “Tunneling” is a secure means of encrypting access to your root server, from a remote access point. You may also be familiar with the term “salt” – as in providing a salt key for example to your private WordPress Blog article. This is something similar.

Perhaps an SSH broadcast will help explain things better than I, though…

The Linux Action Show! | Jupiter Broadcasting

From www.jupiterbroadcasting.com – 3 weeks ago

This week we come clean on why the world’s #1 Linux podcast is edited on a Hackintosh, as well as what it’s going to take for things to get any better.

Juliana Payson‘s insight:
One of my favorite things about the Droid DNA is the SSH app allowed me not to have to carry around my laptop because I can do most simple remote administration from there. Does anyone know of any good SSH apps out there? Here in the Linux show they go on to review a couple of remote access “Tunneling” SSH apps. They even go on to explain when you should use SSH over Virtual Private Network or VPN.

Remoter for Mac 1.4.0 – Remote Access For Mac Made Easy

From themactrack.com – Today

Remoter Labs today announces Remoter 1.4.0 for OS X, an update to their productivity app that allows users to remotely control Macs, via Screen Sharing, and Windows or Linux PCs, using the VNC.

We saw from the Linux show that they actually edit their podcast from their Mac. They come clean with it because they recognize that Linux has some ways to go to catch up to professional media editing. Well, for those that are fully soaked in Mac due to your media profession, I’ve found a cool SSH app for the OS X that allows you to tunnel into your remote server from a completely different operating system.

by - Juliana