Don't share master login credentials
Your account's master login credentials should be shared carefully, if at all. Your master login controls every aspect of your account and should be protected. To enable other users to use the Customer Portal, we recommend you set up individual or permission-based users. This allows you to have the most control over who is able to interact with certain aspects of your account.
Establish role-based or user-specific accounts
Different people within an organization have a different roles and responsibilities, and user permission sets are not one–size-fits-all. Because of this, establishing individual accounts for roles or users will ensure that each person or group only has access to what they should. If changes are made in error or were unauthorized, they can be traced back to the user or group to ensure proper training is received or user permissions can be updated. This minimizes risk in a variety of ways and allows users to focus on their specified role within the Customer Portal.
Manage your passwords responsibly
Each piece of software provisioned on a device is assigned a password that is automatically generated by our systems. Software passwords for each device are stored on the Passwords tab on the Device Details screen within the Customer Portal. We recommend changing your passwords after accessing the software for the first time. Optionally, software credentials may be stored on the Passwords tab for each device; however, understand that when storing passwords within the Portal, any person with access to the account and appropriate permissions may view passwords stored within the Portal.
Secure your system
Firewalls are an add-on service to any device and must be manually configured and enabled to ensure they are effective. Port management allows you to lock down superfluous ports and disable public ports for private network-based systems to further manage outside accessibility to your systems. Performing regular vulnerability scans in the Customer Portal identifies any outstanding or unknown security risks so that they may be mitigated quickly.
Use the private network
SoftLayer's private network allows you to manage your devices in the most secure environment possible. When possible, interact with your devices using a VPN connection and enable network spanning so your systems can communicate over the private network. To access the private network, edit the user’s VPN access from the User List. Use the instructions on our Virtual Private Network page to connect to one of the various VPN options.
Safeguard your data through regular backups
SoftLayer offers multiple backup solutions to ensure your data may be retrieved in the event of drive failure or user error. Backup solutions currently include NAS, EVault Backup and R1Soft CDP, which are all available in a variety of storage options. Check out our Storage page for more information on each backup solution.
Don't leave your firewall in bypass mode
Purchasing a firewall is a start to protecting your systems, but merely purchasing a firewall will not protect you. After it is provisioned, your firewall is in Bypass Mode and has no rules set. To get your firewall up and running, you must create rules and activate the firewall so it can begin blocking unwanted activity. If you don't, it's like having a security system that you never turn on.
Don't leave RDP, SSH, or control ports on the public network
The public network is great for many things, but there are certain aspects that, when left available on the public network through open ports, can leave your system vulnerable. Protect yourself by disabling RDP or restricting SSH on the public network. If these services must be available on the public network, consider moving RDP or SSH to a custom port number.
Don't assume you have redundancy; know you do
SoftLayer offers multiple add-on redundancies, including dual-path, redundant power supplies, and RAID configurations. Verify that you have provisioned one or more of these features to ensure you are working in a redundant environment and are protected in the event of a failure.
Don't perform an OS reload without confirming your information is backed up
OS reloads wipe a device's hard drive, which means information that was on the hard drive prior to the OS reload will not be there when the reload is complete. Prior to initiating the OS reload, back up your information and verify the success of that backup so no information is lost. After an OS reload has been completed, lost information cannot be retrieved.