What is your Security Baseline up to today?

  • 26 February 2016
  • 1 reply

Userlevel 7
Badge +35
Remember the last server you racked? The cabling was perfect, the bezel was attached, thumbs screws secured. It was a thing of beauty, and you likely stood back and admired your work. That point-in-time where everything was just where you placed it, exactly like you sketched it, something your Mother would be proud of. For that moment, that point-in-time, it was exactly how you wanted it.

Until…. life in the datacenter strikes. After you is the next piece of equipment, the next network outage, a phase replacement of a top of rack switch, or perhaps those pesky datacenter squirrels, that still to this day I contend exist, that come in and just to monkey with your stuff. That point-in-time where everything is perfect… is gone.

Anyone laden with the laborious task of applying Security Baselines to datacenter equipment has experienced a similar moment of nirvana, followed by the same hell to follow. Software, hardware, doesn’t matter, we all live in a world surrounded by points-in-time that do not last. Moments of tranquility followed by the impending dread of the inevitable deviation.

Tasks that are rooted in point-in-time processes cost businesses countless man hours of labor every day of every year. Not to mention the sanity of their administrators. This spend and strain are palpable, and have been for a very long time in the industry.

To curb this spend and add confidence to the application and maintenance of these Security Baselines we here at Nutanix would like to take you for a journey down our road of Intrinsic Hardening and our new feature around Security Configuration Management and Automation.

The trials of the administrator.

You’ve all been through this process. You install a product to spend the next several days or weeks tweaking it to a hardening guide from the company that wrote the software. Many times their software has little to no hardening applied to it natively, and rarely are the guides run through quality or supportability checks. You harden, check the software functionality to see that it’s mostly broken, loosen, check again until you reach that balance between hardened and function. It’s cyclic and monotonous.

Once you’re done you step back and, unlike the nirvana experienced above by the hardware engineer, you usually sigh and take a walk so no one can hear you scream. Many times just to come back and do it to the next system, and the next. This accounts for so much time in a team’s schedule that eventually the process to even add new equipment to a datacenter becomes painfully hard because of the upsell needed to convince those administrators their efforts yet again are indeed worth it.

Why must we live in that world?

You should demand more from your providers. Processes that are supportable, quality assured, and not massive time sinks detracting from the actual business of the day. You pay good money for your products and shouldn’t have to spend a month tweaking and modifying configurations to get it on the network. However, that outcry from the industry is still little more than a whimper, and ownership still falls to the customer. We at Nutanix do not stand for that approach, and neither should you.

At Nutanix our Security Development Lifecycle (SecDL) ensures the product you purchase is intrinsically hardened, derived from a set of Security controls that spans as many processes and certifications as we can find, the NIST 800-53. That’s right, out of the box, already done. Fully documented and completely transparent in its implementation, so you can verify the derived controls for yourself. That’s the responsible vendor approach, the one you deserve. Manual hardening, gone. Cyclic and monotonous application of security controls, no more. You can have your day back to do other things.

What about that point-in-time aspect of the Security Baseline? I made the point for a reason, at least you hope I did.

Enter Security Configuration Management and Automation

Standard in Acropolis Base and Acropolis Hypervisor in version 4.6 not only do you receive the intrinsic hardening and baseline documentation in the form of STIGs, you now have a self-healing Security Baseline. That’s right, no more point-in-time configuration state in your systems. All Nutanix platforms running version 4.6 allow you the option of monitoring that baseline for deviations and self-remediating any it finds. Fully tested for quality and performance, completely supported by our staff, and no effort what so ever on your part.

The Security Configuration Management and Automation (SCMA), spanning both the Acropolis Base and Hypervisor (AHV) products, provide you a continuous and even security baseline management layer. Configurable from any node in the cluster it will persist through upgrades and automatically scale out with you as your demand increases. Need new nodes? No problem. Once added to the cluster they inherit the SCMA periodicity and monitoring settings and start humming. Fully audited and reported any change to your system that violates the security baseline is logged and remediated.

Demand more from your products and invest where the value truly is. Want to learn more about our Security process at Nutanix, or about the new features discussed above, check out the Security team’s landing page at and continue the conversation on the Nutanix NEXT Community.

This post was authored by Eric Hammersley, Security Architect at Nutanix

1 reply

Badge +3
Definitely one of my scarier nightmares. Spend lot of efforts arraging fast the perfect server farm and find, one month later, that an colleague-hurricane devasted your job for any reason.