Platform Security In the Era of the Enterprise Cloud

  • 19 May 2016
  • 0 replies
Platform Security In the Era of the Enterprise Cloud
Userlevel 7
Badge +35
Businesses worldwide are embracing a new model for IT infrastructure and platform services -- the enterprise cloud -- that delivers the advantages of public cloud services such as agility, fractional consumption and simple operations without compromising on the control provided by private datacenter environments. Popular public cloud services such as AWS take care of providing core infrastructure security efficiently and easily, allowing customers to focus on the security of their applications, networks and users instead. But traditional infrastructure was not designed with holistic security in mind. Every layer within the infrastructure is built with a fragmented view of security and requires independent hardening. Keeping track of the individual patches for servers, storage, and virtualization is not only time-consuming, but often breaks compatibility between components, forcing IT admins to relax security rules.

Infrastructure platforms for the cloud era need a new approach to security, which is more holistic, comprehensive and automated. Security should not be an afterthought, but rather should be ingrained in the way the platform is built so that it arrives hardened out of the box. The enterprise cloud platform should also incorporate continuous monitoring and self-healing to remain in compliance with security baselines over time. All this reduces the effort placed on IT teams to secure the core infrastructure, allowing security to become more efficient.

With Nutanix, Security Comes First
The Nutanix solution is built with a security-first approach to eliminate zero-day threats. It provides end-to-end intrinsic security measures even as it scales, without requiring that the deployment be re-architected as nodes are added. The platform stays secure and compliant while meeting the highest government regulations. Malicious or inadvertent changes can leave security holes for attackers if left unprotected. Nutanix security automation is always-on and will bring baseline configurations back into check without any additional work from IT admins, closing those security holes, and making compliance audits a breeze.

Nutanix security is available in every platform and enabled by default in every deployment. The levels of security can be easily tuned to meet security requirements. Tuning security is done through a few clicks in the UI or CLI commands. The advanced security design provides benefits across many different infrastructure environments through a secure platform, highly automated compliance checks and proven industry certifications. As non-disruptive upgrades are applied, new patches are rolled into the software further mitigating potential threats, along with maintaining previously configured security postures. Nutanix security delivers tight integration and validated security patches across components that are applied without downtime.

Nutanix’s approach to security applies to every aspect of the platform lifecycle, from building and deploying to managing, scaling and supporting. In a series of blog posts, we will discuss how Nutanix provides thoughtful security measures in order to remove heavy lifting customers face when compared with typical three-tier architectures.

Building - The platform is designed and hardened with security engineering experts working hand-and-hand with software development teams through a tightly defined security development lifecycle. Nutanix builds security models from the strictest government standards and complies with industry certifications to assure customers across the globe that products meet their criteria and perform as expected.

Deploying and Managing – The Prism management platform makes deploying and managing infrastructure simple and effortless. In order to prevent man-in-middle attacks and unauthorized access, Prism can be secured with two-factor authentication and cluster lockdown capabilities, all over a secure encrypted channel (i.e. https). Keeping the bidirectional traffic between the administrator and Prism safe from attacks.

Supporting and Scaling – When new threats occur, Nutanix security and support teams are there to quickly assess vulnerabilities and work with engineering teams to provide patches in days/weeks not months or years. Simplified patching through non-disruptive upgrades keeps systems online while removing the attack vectors. Additionally, when scaling out infrastructure by adding nodes, staying secure has never been easier. Each node can be seamlessly added to the cluster with the same hardened software and managed through the same secure Prism interface.

In this post we will explore a crucial part of the platform lifecycle, building a secure platform. When starting infrastructure projects, security isn’t a typical requirement until it is ready to be placed into production. At that point, security hardening is applied and applications break, requiring security policy adjustments. Imagine if the platform was already secure and once the application was deployed it met the security compliance requirements set forth by the organization. Nutanix has taken an approach to do just that.

Building Secure Platforms
Security is built into every part of the infrastructure stack, including storage, virtualization, and management. One of the key ingredients to getting security right is to have a culture that is built upon security. Top management buy-in is critical to ensure developers take the steps necessary to fix and validate code before releasing it to customers.

This saves customers time and money in the long run from not having to constantly deploy patches in production. In order to build a hardened platform, a proven security development lifecycle with security experts and development teams who painstakingly review all the modules and then scan the code with third party tools is a must. Once Nutanix security engineers research the security vulnerabilities, they work with software engineers to build patched systems before going out to customers. As threats continue to emerge, this process is ongoing versus traditional vendors who only offer patches after the software has been released. Nutanix takes a proactive approach versus a reactive one. This way, customers are guaranteed to have a validated infrastructure.

There is no reason for customers to deploy infrastructure that requires hardening after the fact. That only leads to relaxed security rules and back to square one scenarios. When customers consider infrastructure it should be one that’s already been battle tested and ready for production. This is not to say that new threats will not occur between releases, however the number of patches required between releases is significantly reduced with the Nutanix enterprise cloud platform.

For example, DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), a vulnerability in the SSLv2 implementation was revealed in March 2016. DROWN allows attackers to break the encryption and steal sensitive information such as username and password details. The security team at Nutanix was on top of the vulnerability as soon as it surfaced. Since they work closely with the software development teams, it was easy for them to insert a fix. Prism ensures TLSv2 by default (which is not vulnerable) but we produced a patched version of the software within days that remediated the SSLv2 vulnerability. This is easier for Nutanix as it only requires incremental software modifications versus legacy three-tier infrastructure that must be patched across the components, resulting in a several week effort. The Nutanix patches can be easily implemented through the non-disruptive upgrade process.

Assess – Security research and software development teams must work together to understand all the code produced to reduce security vulnerabilities.

Measure - Risk assessment is vital when security is introduced to the software development process. Modeling is important for understanding how any change in development impacts software delivery. The process should model and gauge security as a means to increase efficiency and reduce customer risk.

Reporting – Security configuration changes must have a baseline to feature code with peer review, configuration management, and ownership with milestones.

Test – Integrating security into the software development and quality assurance processes to eliminate known vulnerabilities and meet high-governance compliance requirements.

Update – Strategic security resources that constantly assess software updates and validate components meet industry requirements.

Repeat - Typically, bolt-on code written to get a system ready for production is designed to “fix” a specific version. It should be tracked and maintained in a way to repeat the process as the system requires updates.

Security in the enterprise datacenter begins with a robust infrastructure foundation. Nutanix builds security into the platform from the ground up with rigorous product development processes that incorporate security considerations right from the start. Building products this way allows customers to focus on driving business value rather than putting out fires caused by security vulnerabilities through reducing costs, complexity and scalability challenges. In addition, it eliminates zero-day threats, reduces attack surfaces, and meets security standards without requiring specialized skillsets.

When evaluating infrastructure for a security-conscious environment, it’s imperative to choose one that is built with a security-first approach that continually iterate on patching new threats thereby reducing the attack surface. In the next blog, we will tackle why security is important when deploying and managing infrastructure.

Click here to take a deeper dive into security.

Continue the conversation on our forums and follow Nutanix on Twitter for the latest news and announcements.

This post is authored by Rohit Goyal, Product Marketing Manager at Nutanix

0 replies

Be the first to reply!