API Gateway
Description
A product that allows the construction of custom [[API]]s that themselves may call out to multiple other URLs.
API
Description
Acronym for Application Programming Interface – generally speaking an API is a way to interact with a piece of software that doesn’t require a user interface and can be used with scripting or other forms of automation. Especially good for bulk data management and syncing states between otherwise disconnected systems
Authentication
Description
Authentication is the process of making sure the person attempting to access something is in fact the person whose account they are trying to use. This is done by providing an identity (eg a username) and some other information that only that person would know (eg a password). When a system uses [[MFA|Multi-Factor Authentication]] more than one piece of extra information is requested, like a code texted to a phone or a token generated by an app that has been pre-registered by the true identity holder
Authorization
Description
Authorization is the step that follows [[authentication]] and details what a valid user is actually allowed to do within a system. That can be through direct permission attribution or by evaluating group memberships. We lean heavily into group based authorization as it is far more sustainable and manageable in the long term, as well as being more transparent in the moment.
AWS
Description
An acronym for Amazon Web Services, a broad category of services offered by Amazon. The overall design of AWS is geared toward organizations that use dynamic and ephemeral computing resources, creating and deleting whole computers and databases repeatedly as needed. The most famous early example was a pizza company using AWS to spin up a huge number of servers on Friday nights to handle the spike in orders, then deleting them come Monday when the weekend rush was over and keeping a far more lean set of servers available to handle normal traffic for the rest of the week.
This is not how Jumpstart uses them, so many of the aspects and services of AWS are not relevant. We use the other aspect of AWS that is most helpful to us – an [[IaaS]] hosted elsewhere that gives us data and service redundancy while removing the need for a larger investment in the upkeep of [[on-premise]] servers and even more robust networking and failover systems. Our use of AWS is selective and intentional – not all services are best hosted from there, and not all on-premise costs are worth it.
The key services we use are:
- [[API Gateway]]
- [[EBS]]
- [[EC2]]
- [[Glacier]]
- [[Key Terms/Lambda]]
- [[RDS]]
- [[S3]]
- [[SQS]]
- [[VPC]]
Key Notes
- The AWS account itself is owned by the root user (aws@jstart.org in our case) – this is the most important account as it is the only one that can change ownership, assign MSP access, and every other thing
- In order to make AWS EC2 instances accessible to any offices or remote users connecting through [[VPN]], EC2 must have some sort of VPN connection itself, a role currently filled by the [[Meraki-vMX-S]] instance and the VPC network setup that selects that instance as its network gateway with appropriate routing rules
- [[Cost management]] is a critical part of using AWS. They will happily let you run up truly enormous bills, as most of their services are pay-per-use by default, which is a good deal until a bot decides to send gigabytes of data at your API Gateway or someone “spins up” a high tier EC2 to test something and forgets to turn it off when they are done. There are also some services or parts of services that are really good deals, and others that are pure premium cost rent-seeking. There are also mechanisms that you can use to prepurchase and plan your spend better, such as [[EC2#Reserved Instances|Reserved Instances]]
- As a nonprofit there is a [[Key Budget Items|yearly voucher]] that we can purchase from [[TechSoup]] and apply to our account ($180 for a $2000 voucher at time of writing); this is a purely manual process and must be remembered every year
CDN
Description
Acronym for Content Delivery Network, a system of servers with copies of files spread out across the world paired with a load balancer that requests are made to and then served from the nearest server to the requesting user, helps to speed up website loading among other things
Cert
Description
Short for certificate, this almost always refers to the piece of information used by [[SSL]], [[SSO]], and other encryption processes to ensure identity and encrypt data in transit. They come in two parts, a public key meant for distribution and a private key that should never be shared or transmitted to any external party. Certs always have a requesting organization (ie us), an associated [[DNS|domain name]], a certifying organization (like [[Namecheap]]), and an expiration date. Managing the expiration of certificates can be a challenge, which is why most servers and services at Jumpstart use [[CertifyTheWeb]].
CLI
Description
acronym for Command Line Interface, as opposed to a [[GUI]]. The broad category of terminal or script driven data display and command input. Tends to be most useful for scripting or low level commands.
Cloud
Description
In computing the term cloud essentially means “remote computer”. It is simply one or more pieces of computer hardware you don’t own and don’t have to maintain. Often times it is also a time-shared resource, lowering the overall cost to use if the work one does doesn’t need to constantly be maximizing resource use on a server. The biggest upside to “the cloud” is that it minimizes upkeep and streamlines billing – rather than buying software updates and replacement hard drives as well as keeping track of electricity use and warranty status, you can have one single number per time period that you can plan around. The biggest downside of “the cloud” is that it is always someone else’s computer – if they don’t have good security, or they don’t order hard drives in time, you could be the one burned by their negligence and you wouldn’t necessarily know it was a problem beforehand.
CMS
Description
acronym for Content Management System, a broad category of systems that house and organize content. That can be in the form of blocks of text or media, with structured data being better housed in [[System Services/Salesforce/Salesforce|other systems]]. The most common CMS is [[WordPress]], Jumpstart uses that and [[Confluence]] for different needs.
Container
Description
A way of virtualizing and managing software packages the provides a consistent and separate environment for each package. Similar to a [[VM]] in that it uses a shared host to run multiple services/software installations, but different in that the hardware is not abstracted, but file system access and version management is. Jumpstart uses [[Docker]] to containerize several applications.
CSS
Description
Acronym for Cascading Style Sheets, the descriptive language that websites get their visual definition from.
CSV
Description
Acronym for Comma Separated Values, though in truth other delimiters can be used. A plain text file that stores information as a table with a simple separator character distinguishing columns, and new lines distinguishing rows. Though a very simple and flexible file type, it is very error prone as it struggles to distinguish intent – a row may contain text with a new line/return character, but most parsers will treat that as the end of the row rather than an internal line break. [[JSON]] is a more resilient and flexible format, though it is not without flaws as well.
Data Warehouses and Lakes
Description
A data warehouse is roughly speaking a box to store semi to fully structured data in. It often takes the form of files on a file share or rows in a database, but with consistent schema rules. That is, if there are a whole lot of [[CSV]] or [[JSON]] files that have roughly the same columns/properties in each, then a external program could load all of the data for processing with minimal guidance around the schema and start doing queries right away. At Jumpstart we use a [[PostgreSQL]] database with a JSON formatted column with an “origin” column that defines what sort of schema one should expect, but allows for
DKIM
Description
acronym for DomainKeys Identified Mail, a system that allows an email sender to register their outbound server with a client domain to securely impersonate sending as them. For instance [[Constant Contact]] has a key that we have added to our [[DNS]] records so that when they send email as us it includes a matching piece of data that the receiver can use to match against what we have listed as approved and know that Constant Contact is allowed to email on our behalf.
DMARC
Description
related to [[DKIM]], has to do with tracking which servers are sending email in our names. Currently monitored for free through [[Postmark]]
DNS
Description
acronym for Domain Name System or Server; the fundamental way that names like www.jstart.org get connected to the actual computers those sites and services are hosted on, translating the domain name to an [[IP]]. DNS can be public or private: public DNS entries are served by Domain Registrars (like [[Namecheap]]) and/or Name Servers (like [[DNSMadeEasy]]) and private DNS entries are served by internal servers ([[Domain Controller|domain controllers]] in most Windows environments). There should be multiple internal DNS servers running for higher availability.
Internal
Internal DNS is integrated with [[Active Directory]] with each device getting a dynamic map automatically and an static one where a name should always be mapped to the same [[IP]]. The domain controllers automatically replicate their DNS entries to each other on a roughly 15 minute schedule.
Internal Root Domain
AD requires being able to refer to all connected systems with their Fully Qualified Domain Name or FQDN. Therefore it has to have one domain name to be the root that all other computers can refer to (technically you can get into forests and federation and do more but that is way out of scope for what Jumpstart needs). Our internal root domain is jstart.org, reflecting a Microsoft recommended “best practice” that they have since done a 180 on, but it isn’t worth rebuilding everything for some minor improvements.
Domain Controller
Description
Also known as a DC, it is a crucial part of the [[Active Directory]] infrastructure. It serves to [[Authentication|authenticate]] and [[Authorization|authorize]] users in a distributed and highly available way. DCs also host internal [[DNS]] servers, [[GPO]] policies, and network time sync.
EBS
Description
Acronym for [[Elastic Block Store]], the equivalent of a hard drive in [[AWS]]
EC2
Description
Short for [[Elastic Compute Cloud]], this [[AWS]] service allows for the creation of virtual computer hardware known as an instance.
Edge
Description
a way of talking about resources that indicates that the deployment of the resource is closer to the end user than the main source of function or information. An example in Jumpstart’s environment is when a [[Domain Controller]] is run on a laptop deployed to an office and left to run in a closet, just so that logins and password updates can happen more quickly based on where in the country a user is.
FaaS
Description
acronym for function as a service, essentially relying on some other provider (like [[AWS]] or [[System Services/Windmill|Windmill]]) to manage compute resources and networking setup while the end user just creates functions in a normal programming language which they then publish, and the host platform provides a URL endpoint that the developer can use.
GPO
Description
Group Policy Objects are records in [[Active Directory]] that detail settings and actions that will be applied to user accounts and computers in the domain. They are divided into those categories and offer different actions to each. For example, the [[Default Domain Policy]] requires that all user accounts have an 8 character password of a set complexity, while the [[PCs-BitLocker]] policy enrolls and enforces individual laptops in the BitLocker encryption regime and stores their unlock keys in AD.
You can view the [[Index of Group Policies]] for specific details
GUI
Description
acronym for Graphical User Interface, as opposed to a [[CLI]] or terminal interface. Uses buttons, windows, dividers, panes, images, etc to show information and take commands in a program.
HTML
Description
HTML is an acronym for HyperText Markup Language. It is a way to structure content for display in a web browser and some other environments. It consists of dedicated tags enclosed in angle brackets < and >, in pairs with an opening and closing element like
<i> text </i>
which would render as text – an italicized string of characters.
HTTP
Description
An acronym for HyperText Transfer Protocol, the main protocol used on the internet to transmit information. While there are other protocols, HTTP is the most critical one on the application level (on the OSI model).
Methods
Methods are the “Verbs” or actions that the protocol understands and responds to. Often sending the same data with a different Method will have radically different results, or might simply outright fail.
GET
The most basic and default HTTP action, simply requests a resource from a URL. It can have parameters (like when you see https://whatever.com?id=test&list=10, both “id” and “list” are GET parameters), but it cannot deal with a body of data, and is potentially less secure since it leaves the parameters in the browser history which other sites/extensions might read.
POST
The more advanced data submission method. Can still use URL parameters, but critically allows for a body of data to be sent along with format information that lets the server better know what to do with the data. The data is also encrypted as long as the connection itself is (with [[SSL]]), and does not persist in browser history.
PUT
A very similar method to POST, but is generally used to update records instead of create new ones. Less commonly used in applications
DELETE
A method that signals to the server that the data incoming is related to the removal of something. Less commonly used in applications
Hypervisor
Description
A hypervisor is a piece of software that can interpret snapshots of other computer’s memory and hard drives and provide an environment in which those snapshots believe they are running on top of real hardware. The hypervisor than manages and shares resources across any number of these [[VM|VMs]] and allows a single piece of real hardware to be used efficiently for multiple services and software.
IaaS
Description
Also known as “the [[cloud]]”; an acronym for Infrastructure as a Service, where a company has a bank of computers that others can rent time on – [[AWS]] is an example of this. IaaS can be as simple as starting a computer and connecting to it with [[SSH]] to run a single job, or as complicated as a multi-layered virtual network with multiple servers able to receive many requests and enforce security routes and [[load balancing]] rules
![[On-Premise#Factors]]
Key Notes
- “The Cloud” just means “someone else’s computers”, which has up and down-sides but is always out of your reach and fundamentally belonging to someone else
- Always comes at a premium, but removes the burden of hardware management and some software updates (depending on exact setup)
- Can be created and deleted very quickly and easily, allowing for prototyping of potential [[on-premise]] designs
- Allows for easy vertical [[scaling]], in most cases selecting a higher tier machine [[instance]] (and accepting the higher cost that comes with it) and rebooting will instantly give you a more powerful server
IaC
Description
Acronym for “Infrastructure as Code”, a way to describe and automate the computing resources and rules to deploy a particular application
IAM
Acronym for Identity and Access Management.
[[AWS]]
The language of IAM is used in many services, but of note is the AWS use in particular. It is where all users who will manage some aspect of the [[IaaS]] itself must be created and updated. Amazon has an incredibly in-depth and specific permissions tool they call Policies that govern every aspect of not just access but also use of each different facet of each different service. At the moment we simple have two user groups:
- DomainAdmins – read-write on everything
- ReadOnly – read-only on everything
In the future it would make a lot of sense to have other classes of user, like an [[RDS]] management role for the [[Data Reporting Specialist]] or a basic server restart role for the [[Support Specialist]], but at the moment we have kept it very simple.
iLO
Description
stands for “integrated lights out”, the baseboard management controller for HP servers that allows management of a computer across the network even when the actual computer is powered off or experiencing problems
IP
Description
Stands for Internet Protocol, a specific set of details that manages traffic on networks. Address system (ie IP Address) is a very common and critical part of describing websites and devices.
JSON
Description
Acronym for JavaScript Object Notation, a way to write out information with labels that is readable to humans and computers. It has strict formatting rules, like using curly braces and square brackets to denote objects and arrays:
{
"testArray": [1,2,3,4],
"person": {
"first": "Bob",
"last": "Belcher",
"isChef": true
}
}
(the spaces and tabs are optional formatting, the double quotes and commas are required)
JSON is used in programming, especially for web applications, but because it is so flexible and relatively easy to read and use it often forms the basis of data exchange even between different systems. For instance, most any [[User Services/lms]] that uses [[xAPI]] is describing learning steps in a JSON format. That same data can be stored in the [[Areas of Concern/Data warehouse]] in a data column, then queried, parsed, and transformed by [[Power BI]] to produce reports without involving any web pages.
JSON is superior to CSV and Excel files because
- it has stronger typing rules (it knows the difference between a number, some text, a true/false value, and a list of any of them)
- it can be layered and relational – you can have an essentially infinite level of nesting objects and arrays within each other (so you can have a list of people, and each person can have a list of their siblings, and those siblings can have a list of phone numbers, all without needing multiple files or sheets)
Key Notes
- most modern [[API]]s speak some form of JSON
- The ideal export format for any software or service we are evaluating is JSON, as it is more robust and less error-prone than CSV or Excel files
Lambda
Description
Generally speaking a lambda is a short specific function meant to be used and reused by other routines, or chained together to form more complex behaviors.
[[AWS]]
Amazon has a service called Lambda which is, much like its namesake, meant to be used in a more streamlined way. Rather than creating a large program with many moving parts, you can create a Lambda function in many different programming languages and then expose that function through an [[API Gateway]] such that an application or web page can call it to perform a limited action.
Jumpstart is currently using one Lambda called sqsToWarehouse to feed data from an [[SQS]] queue into the [[Areas of Concern/Data warehouse]] on [[InternalApps-PostgreSQL]]. It is a simple Python function that tries to validate a piece of [[JSON]] data and then save it to the warehouse. If it fails to parse the JSON, for instance if there are erroneous double quotes in the submitted data, it will instead save the chunk of text to the Errors table in the warehouse for later manual processing (if necessary).
LDAP
Description
Acronym for Lightweight Directory Access Protocol, a way to manage and organize users and resources. It is the protocol that [[Active Directory]] uses as its base, adding certain Microsoft extensions on top of it. Often when looking for Active Directory support issues or advanced questions searching for LDAP will return better results.
LMS
Description
Acronym for Learning Management System, a specialized variety of [[CMS]] focused on interaction tracking with the published content. It can come in many forms, the one currently used at Jumpstart is to have a separate system for access management and publishing ([[System Services/MyJStart|MyJStart]]), course creation ([[Easygenerator]]), results capture ([[Areas of Concern/Data warehouse]]), and reporting ([[Power BI]]).
User
Load Balancing
Quite literally balancing the load between available resources. This can take the form of sending incoming web page requests to different servers based on the level of capacity they have, or routing internet traffic between two ISP connections as in the [[Boston]] office.
[[AWS]]
Amazon has a product called ELB, short for Elastic Load Balancer. It was once used on our account by G2, but was poorly implemented as only a reverse-proxy and not serving any real purpose. If we ever need to distribute traffic across AWS hosted servers it may be worthwhile, but it meets a very specific need we will likely never have.
MFA
Description
Multi-Factor Authentication is a way to [[Authentication|authenticate]] an identity using an extra external piece of information. The general philosophy of best practice authentication is “something you have and something you know” – a person should know their password that is long-lived, and by receiving a text to their registered phone or generated a token through a registered application they confirm ownership at that moment in time.
MFA is a highly valuable security tool and should be used whenever possible in any system that supports it.
Microsoft Azure Sponsorship
Description
An annual account credit of $2,000 that can be used to run [[Azure Virtual Machines]], [[Azure AI service for Language]] (text analysis for [[Power BI]]), etc
MSP
Description
Acronym for Managed Service Provider, this vendor supports Jumpstart by doing maintenance tasks like verifying [[Backup Strategy|backups]], monitoring [[Monitoring systems|alerts]], and doing general support tickets on an as needed basis. They also own the Windows Update functionality and push timely patches to both servers and laptops across the Jumpstart fleet.
MySQL
Description
An open source database software used by a large number of sites and services, such as [[WordPress]], [[System Services/SAM|SAM]], and [[PER System]].
On-Premise
Description
Also known as on-prem; in contrast to [IaaS], on-premise indicates that technical resources are located physically within an organization owned space. That might be one of the offices, a co-location facility, or a data center. It often has [[Cost Management|cost]] advantages, but requires physical and software maintenance that carries its own cost.
Factors
When making the decision between on-prem and IaaS there are several factors too look at to determine which way to go:
- Data security – does the IaaS have documented and verified security which matches the needs of the data to be stored or processed?
- Reliability – does the IaaS offer a better [[SLA]] than internal resources would be able to provide in case of emergency?
- Redundancy – what kind of data storage layers are there? Are available emergency power supplies going to keep servers running long enough to properly shut down and not lose data?
- Backup/Recovery – how easy is it to get up and running after a disaster or migrate services in a crunch?
- Management – how easy is it to increase disk size? How hard is it to upgrade RAM or install new software? Can you see all relevant computing resources in one place or do you have to hop between logins?
- Price/Performance Ratio – how much RAM can you throw at a problem before you break the bank? How long will you need the extra memory for? Would just [[scaling|adding extra servers]] help?
- Portability – no matter what you choose, can you pivot to another solution if it becomes clear the current setup is not ideal?
All of those aspects exist in balance and should be judged on a service by service basis. In some cases the answer will be clear, in others less so, but when starting out it is probably best to start with security and portability, and narrow down as you test the service.
Open Source
Description
Open source software is simply that – software that allows anyone to access the original source code it runs on. In the majority of cases that also means it can be modified by users to fit their own environment, such as how Jumpstart has modified the [[Self-Service Password Reset (Oops)]] software to contain our own messages and images. There are some pieces of open source software with built-in limitations, where only parts of an overall program has been open sourced but more specific components must be paid for, like the user management features of [[PhotoPrism]]
Operating System
Description
An operating system is the (generally) lowest level piece of software running on a computer that mediates all of the user elements (inputs, software requests, etc) with the hardware the computer is composed of (keyboard, display, etc)
OS
Acronym for Operating System, the fundamental software that allows normal applications to run. There are many OSes, but primarily you will encounter three – Windows, Linux, and Mac. Each of those has variants with greater and lesser differences:
- Windows
- Windows 10
- Home – severely limited, cannot join [[Active Directory|domain]]
- Pro – minimum level for Jumpstart
- Enterprise – deployed by [[PCs – Upgrade to Windows 10 Enterprise|Group Policy]] to all computers in the [[PCs-StandardSetup]] group, allows more advanced management and configuration
- Windows 11 – we should not update to Windows 11 until there is a clear reason to do so. It is a drastic departure from Windows 10 without any clear benefit and comes with more ads and snooping built in
- Server
- 2016 – currently in use
- 2022 – latest version, no huge leaps but still should plan to update current servers
- Windows 10
- Linux
- Many distros (distributions)
- CentOS – eg [[JS-BOS-DockerHost1]]
- Debian – eg [[JS-BOS-Intranet]]
- Fedora – eg [[Siteground]] (both MyJStart and WWW)
- Android
- Many distros (distributions)
- Mac
- Mac OS X
- iOS
Parquet
Description
Parquet is a file format meant to efficiently store thousands to millions of records in read-only well compressed files. It is a good target for data that does not change, like the history of interactions from a given [[Constant Contact]] campaign, or for historical records of [[survey|surveys]] from years past. Moving records in [[System Services/Salesforce/Salesforce|Salesforce]] or the [[Data warehouse]] to a Parquet file allows for data to go from more expensive and more performance sensitive resources to low cost storage yet still be included in [[Power BI]] data flows as needed.
PHP
Description
A recursive initialism for “PHP: Hypertext Preprocessor”, it is a programming language used to provide web pages. It is the language used by software like [[WordPress]], [[System Services/SAM|SAM]], [[Self-Service Password Reset (Oops)]], and many others.
PostgreSQL
Description
Open source database software, Jumpstart uses it for a [[Areas of Concern/Data warehouse]] on [[InternalApps-PostgreSQL]]
RDP
Description
Acronym for Remote Desktop Protocol, a Windows-specific feature that allows users to access a computer virtually. There are two flavors of RDP, an individual user method and a multi-user Terminal Server method.
Single User
All versions of Windows except for Home support a single remote login at a time. The remote session is effectively identical to sitting in front of the computer, including local and network drive access as well as USB and printers. This is rarely used in practice because all of our users have laptops they can just take with them, and we do not have permissions set up to allow them to remote in anyways.
Terminal Server
Windows Server editions can host a service called Terminal Server (a reference to a much older style of computing) that allows multiple people to connect to the same computer but still have independent desktops and applications of their own. An example of this is [[JS-AWS-SupportApps|access.jstart.org]] which hosts not only the Terminal Server that one can use the Remote Desktop Client to connect to, but can now expose RDP through the browser without needing to install or run a client (the client is installed by default on all Windows computers but may be disabled at some universities)
Security
Of critical importance is that RDP is not a secure protocol – it was designed to be very basic and now relies on other layers of defense to be secure. That is why the only way to use access.jstart.org are either through the web browser (which draws the desktop live and is not actually using the RDP protocol in public) or by being on the [[VPN]] to use the desktop client. RDP ports should never be left open on firewalls, as it is a significant target for hackers even if the port is changed from the default.
RDS
Description
Acronym for [[Relational Database Service]], a part of [[AWS]]. Essentially a simplified Linux [[EC2]] that only exposes the database portion of its capabilities, greatly simplifying management and updates
Record Relationships
Description
There are several different ways records in a database can connect to each other. Each has benefits and drawbacks and should be selected on a case by case basis, as well as aligning with the technical limitations of a system.
One-to-One
A very direct and limited relationship, best used when real-world constraints demand very limited function. Generally involves reciprocal fields on each record pointing only to the other record, and any time the data of one side of the relationship can be narrowed down to a set of fields on the other it is generally preferred. An example might be a person receiving a once in a lifetime vaccine – it is crucial they not receive multiple doses, and once injected the vaccine will not be used by anyone else, but there may be enough specific detail about the vaccine shot itself that it should be stored as its own record type. It is an extremely limited relation however and should be avoided without very specific cause.
One-to-Many
The most common relationship between records, often known as a parent-child relationship. It is generally expressed as one field on child record that indicates the parent record. This allows the child record to access information on the parent record easily, as the direct relationship has been recorded. In contrast a parent record may have an enormous number of children, but cannot traverse those relationships “down” to gather details and must rely on rollups or other aggregations to reflect data on the related records. In [[System Services/Salesforce/Salesforce|Salesforce]] for instance many [[Contact|Contacts]] have a Primary Account field to indicate which [[Account]] the Contact belongs to, and on Contact record one can see the Account’s Name, Mailing Address, etc.
- Benefits: Data traversal is very useful, parent-child relationships are more immediately understandable, they can be implemented with a single field, narrows the scope of relationship in way that helps validation but not so far that it is unwieldy
- Constraints: Child data must be aggregated to the parent record to be useful which requires automation, can exclude important edge cases from being able to be stored accurately (eg someone who splits work time 50/50 between two companies), more difficult to generate audit trail of changes
Many-to-Many
A many-to-many relationship means that the records on both sides of the relation can be connected to many other records through the same mechanism. The most common form of this is using a Join Object/Table, where a third type of record is used to track the multiple connections between the other two types of object. For instance, in a library many people want to read many books that must have their dates audited. To keep track of who has which book, a check-out list (the third record type) is created and updated as books come and go.
- Benefits: extremely flexible, records with start/end date fields create an automatic audit trail, covers situations where multiple people need to relate to the same resource or vice versa
- Constraints: generally slower to report on, can lead to invalid relations to a resource that cannot be shared, some systems limit the rollup or reportability of this style of relationship, relationships often cannot be traversed in queries and must be manually pulled and correlated
Reservation
Description
a commitment to use a certain amount of time on an [[AWS]] service like [[EC2]] at significant savings over the pay as you go planw
Reverse Proxy
Description
The practice of routing traffic meant for a site or service through a different public facing webserver. This allows things like adding in [[SSL]]/HTTPS support, failover or migration handling, or load balancing.
RSAT
Description
The Remote Server Administration Tools set of programs, used to manage Windows servers (both on the server and remotely). It includes a long list of tools, most being modules for the Microsoft Management Console (MMC) and can often be used simultaneously in the same window. The most common RSAT elements we use are
- DNS – manages and edits the [[DNS]] settings of the [[Active Directory|internal domain]]
- Active Directory Users and Computers – edits the LDAP records in AD, useful in updating groups and user accounts
- Group Policy Manager – edits the [[GPO]] objects that apply policies (eg software installs and login limits) to users and computers in the AD domain
S3
Description
Short for [[Simple Storage Service]], a core part of [[AWS]] that serves as a file store for both private and public facing files. Combined with [[EBS]] and [[Glacier]], S3 serves as the most common storage infrastructure of most uses of AWS. Unlike a set of files and folders, S3 uses a concept of buckets and objects that can be made to broadly replicate the folders/files feeling but is really not the same. Our current use of S3 is chiefly for assets on the current [[WWW|webpage]] and as needed by the file level backup provided by [[CloudBerry Backup]] .
SaaS
Description
Acronym for Software as a Service, a model of software use wherein the publishing company hosts/runs the software from their servers instead of requiring we install it locally on our own.
Key Notes
- Security is always a concern when something is running on machines one does not control, so getting details about hosting environment is important
- Evaluating the cost/benefit ratio for SaaS products is important as there is always a premium for hosted software versus self-hosting, but not having to manage security updates or hardware outages can be a big advantage (though the hardware cost could potentially defrayed by using an [[IaaS]] service, with the same premium caveat however)
- Be especially carefully to review contract term and stipulations – many will have a minimum spend level (for instance requiring the purchase of 20 users minimum) or may price gate certain features like [[SSO]] (“only with our Enterprise plan, call for cost” is all too common)
sAMAccountName
Description
This is a particular type of username in [[Active Directory]], a legacy from old systems that had a hard limit to the length of the username (20 characters). It also cannot use the domain in email format, like adding “@jstart.org” to the end, but if a domain is needed it is prefixed like “jstart\”. Generally it is in the format of first letter of the first name combined with the last name, but the username may be truncated or have numbers added at the end to ensure it is unique in the [[AD]] environment.
Note
The sAMAccountName is required when using certain services, chiefly when logging into the [[System Services/Meraki|Meraki]] [[ClientVPN]].
Scaling
Description
Scaling refers to increasing or decreasing some aspect of a system to better match its actual use. This is simlar to right-sizing, though often right-sizing is focused on decreasing resources and scaling tends to only go up. There are two major ways to scale, though the first question should never be how but if. Often times the need to scale is actually the result of poor code performance or an issue with system design, like routing internet traffic through more gateways than it actually needed to go. Data queries that are “greedy” is another good example – if you will only be working with one record at a time, don’t query and transfer all of them up front, rather go on an as-needed basis. If you still find you need to scale, you can scale
- Vertically – just give the server more power; whether RAM or CPU, whatever the bottleneck is just pay for more of that resource. This is the best one to start with, as you can measure results right away, and even fine tune how much time it needs to run at an increased capacity before scaling it back down to match your normal workload
- Horizontally – this one is much trickier, as your application needs to support parallel workflows. Sometimes this is very easy, like serving up a static website where multiple web servers can be put behind a [[Load Balancing|load balancer]] and just serve the static content no problem. But if your service relies on realtime data from a database, or needs to be able to track a user’s session, you will have to be very careful to make sure the data needed is accessible to all possible application hosts at the time of request, and make sure it is accurate and up to date as well. There is very little that Jumpstart does that could ever benefit from horizontal scaling at the moment
SEO
Description
Search Engine Optimization, the practice of making web content stand out to search engines and increase the likelihood of visitors. There are many many false promises and bad tools in the SEO ecosystem, the core principles however are good:
- Prioritize accessibility (eg Section 508 is a United States federal law, WCAG is a set of globally recognized guidelines)
- Use semantic page structure (H1 is actually the first heading/most important part, H2s are children of that H1 concern, and so on)
- Use web standards like meta descriptions, accurate page titles, social post format hints, well structured URLs, etc
We use [[SproutSocial]] to manage social engagement, [[Google Analytics]] for traffic analysis, and [[Yoast]] or [[AIOSEO]] for page-level SEO on the [[Siteground#Main Website]]
SLA
Acronym for Service Level Agreement; the basic expectation of service one can expect from a vendor. It might be measured in uptime (aka “9s”, as in 99.9?%) or in responsiveness for a given level of issue. Both are critical factors to know before a crisis strikes, and have a documented expectation to call on when a vendor isn’t responding is very helpful. It can also allow for refunds or reimbursements for slow responses or outages, but again are only as good as what is agreed on before disaster strikes.
Slug
Definition
The bafflingly named ID of a resource in [[WordPress]]. Can only use letters, numbers, the hyphen, and the underscore characters. Used heavily in aligning multiple systems integration, from [[System Services/Salesforce/Salesforce|Salesforce]] to [[Active Directory]] out to [[System Services/MyJStart|MyJStart]] and beyond
sObject
Description
an sObject is a [[Salesforce]] data structure, a schema or table. A decent parallel would be an Excel table – the “fields” of an sObject are like the column names in a table, and each row is a separate record. There are many Standard sObjects like [[Account]], [[Contact]], and [[Campaign]], but Salesforce allows you to create your own as well. Jumpstart has several [[Custom Objects]] that encapsulate things like [[Children]], [[Classroom Registration]], and [[Affiliation]] (that one being added by the [[Nonprofit Success Pack]] installed package).
Source of Truth
Description
a standard way to refer to the idea of having just one place that is authoritative above all other data sources about a given topic. For example, it is easy for information saved in Excel files to get out of sync if copies are passed around over email and different generations of edits are present. However by using something like [[System Services/Salesforce/Salesforce|Salesforce]] to maintain a data allows all the various Excel files to be checked against a common authority.
The challenge with any source of truth is keeping it accurate and up to date. If staff does not maintain that practice it will be of no help, but that is a personnel/management issue that leadership must handle and make a priority.
SQL
Description
acronym for Structured Query Language, a particular way of writing input and output statements for relational databases. SQL is a broad group of similar implementations for databases like [[MySQL]] and [[PostgreSQL]], though each have their own special keywords and concepts in their more advanced uses.
SQS
Description
Acronym for the [[Simple Queue Service]] on [[AWS]]. It is a high availability message reciever that allows you to assign a URL as the ingest point for any kind of data, especially if you expect it to be high-volume
SSH
Description
Short for Secure Shell, a highly secure protocol used to connect to remote servers and interact with a command line terminal. This is the primary method of managing Linux servers, and recently Windows has adopted it for some uses as well.
SSL
Description
an acronym for Secure Socket Layer, this is the broad protocol that ensures the encryption of not just websites but several other network traffic related functions. It relies on the use of [[Cert|certs]] to ensure that the identity of the server being reached is what the requester expected, and then encrypt the information in transit to answer the request.
SSO
Description
Acronym for Single Sign On, a broad term for any method of verifying a users login with a trusted third party. The trust relationship must be created first, often using either the OAuth2 or SAML protocols. Implementations can vary from a simple access check (authorization, OAuth2’s strength) to fully syncing or establishing identity (authentication, SAML‘s). When using SAML it is possible to include group memberships, for instance, whereas OAuth2 simply checks if the given user is on record in the authorizing system as having access to the requested resource.
Practically speaking little of this matters from the user’s point of view, but the more authentication and authorization can be handled in one step the better. From a systems level it means preferring SAML, but often the only option a third party service will offer is OAuth2 (through the use of “Login with Google” buttons for instance).
The most critical part of this is that it greatly reduces the number of passwords a user must manage, allowing better security requirements to be put in place without overwhelming staff.
Key Notes
- SSO should always be prioritized, services without it should be really weighed and measured as to their fit for our environment
- User accounts in Microsoft 365, Active Directory, and Google are free, so there is no reason for any party, external or otherwise, to be allowed to use a non-Jumpstart account to access materials or services that are SSO integrated
TOTP
Description
An acronym for Time-based One Time Password, a method of securely generating short codes from shared secret information. A form of [[MFA]] that works across platforms and is more secure than SMS/texting based forms.
UAC
Description
The User Account Control system in Windows. It is most often experienced as the pop-up that requires administrator approval before performing an action like installing software. This prompt cannot be controlled remotely through [[Teams]] and many other remote access tools, necessitating the use of something like [[RustDesk]]
VM
Description
an acronym for Virtual Machine, a way of using one set of physical hardware to allow multiple self-contained systems to run on its resources. The physical computer is known as the host, and the software it runs to create virtual machines is called the hypervisor.
[[AWS]]
Amazon Web Services runs several of our VMs on their own hardware through services like [[EC2]] and [[RDS]]
Hyper-V
Mircosoft’s hypervisor software, we use this [[on-premise]] to run our VMs. We used to use another product called VMware ESXi, but the licensing and management of that were more convoluted than we needed. Servers that run Hyper-V are labelled JS-[their location]-Host## in [[Active Directory]]
[[Docker]]
Not a true hypervisor but rather a container service, it still has enough in common with traditional virtual machines it was worth mentioning here
VPC
Description
Acronym for Virtual Private Cloud, a “cloud” hosting service’s product that creates a virtual network between servers and services in a host’s environment (this is true for both [[AWS]] and [[Azure]]). It uses “Security Groups” for firewall rules, a routing table for controlling traffic flow, and makes sure details like the network gateway and [[DNS]] servers are set correctly. One AWS account can run multiple VPCs, but Jumpstart only needs one as we have a flat server structure.
VPN
Description
Acronym for Virtual Private Network. Emulates a physical network by creating a secure tunnel to the VPN concentrator, an endpoint that may be hardware or software but that ultimately handles network traffic as if the connected computer was plugged in with a wire. The VPN setup communicates to the local computer the network gateway, [[DNS]], and routing information so that it is as if the client computer is sitting physically in the room with the VPN concentrator. There are several different protocols and ways to set up VPNs.
Protocols
IPSEC/IKEv2
Each office [[Meraki MX64]] unit has its VPN concentrator activated and set up to use IPSEC. It is an old but trusted protocol and multiple connection profiles are deployed to each Jumpstart laptop by [[PCs – VPN Settings|Group Policy]]. The only downside to this protocol is that it uses its own ports (the network settings that define different kinds of traffic) which some public wifi (like coffee shops and hotels) block from time to time.
The way Jumpstart uses this is through a [[PCs – VPN Settings|Group Policy]] that deploys to all PCs on the domain which creates a series of connections to [[ClientVPN]] endpoints in each office. This can also be used to login to a computer for the first time even off network by selecting the login through VPN option from the Windows login screen in the lower right hand corner. Critically, the username in this case is the [[sAMAccountName]], the short version of the username that is generally the first letter of the first name and the lastname without the “@jstart.org” part at all.
SSTP
Secure Socket Tunneling Protocol is a recent development that allows secure traffic to pass over the same port as normal web traffic (port 443) so that the majority of routers and firewalls cannot detect or block the traffic. Currently only works on Windows without significant work. Jumpstart has an SSTP concentrator set up on [[JS-AWS-SupportApps]] using the [[SoftEther]] package, but it has only been targeted at travelling execs so far.
Setup
The most important detail of setting up a VPN connection on the client side is understanding if you are using Full-tunnel or Split-tunnel traffic.
- Full-tunnel means that all network traffic to and from a computer is entirely done through the VPN, with no traffic passing through without encryption (there is a possible caveat to this around DNS queries, but that won’t contain any PII)
- Split-tunnel means only traffic aimed specifically at Jumpstart servers will be sent through that tunnel, everything else will just continue to use the local network connection. This means the other requests will likely be much faster (great for Teams calls for instance), but they are no more protected than any other back and forth over the public network
Webhook
Description
Basically just the other side of an [[Key Terms/API|API]], generally something set up in a service that reacts to internal actions by sending data to an external URL. An example of webhook use is seen in [[Stripe]], where once a transaction has a new “event” (like a rejected or completed transaction) it sends data to a [[Power Automate]] flow to allow for further processing