Collector Security
Nutanix takes a holistic approach to security process to ensure complete protection of customer environment and data. The Nutanix security development life cycle (SecDL) integrates security into every step of product development. All the features and functionalities of Collector Desktop Application and Collector Portal follow the strictest security guidelines.
For additional details about the Collector Desktop Application and the Collector Portal, refer to the Collector User Guide and Collector Portal User Guide available at the Collector Documentation page.
Collector Desktop Application
Collector is a desktop application that is run on Nutanix prospects and existing customer systems. The application connects to the prospect or customers' data centers, clusters, and hosts and collects the configuration and performance data. Since the application is connecting to the users' systems and pulling the information, this guide details the security measures that Collector has in place to ensure that customers can trust the product and feel safe to use the product. Collector Desktop Application Security are covered under multiple categories as described in the sections below.
Software security testing process
Nutanix integrates security into every step of the software development process, which includes automated security testing and threat modelling to assess and mitigate customer risk from code changes.
The following security scans are performed on a daily basis as part of the CI/CD pipeline to detect and fix the vulnerabilities on priority:
-
Static Application Security Testing (SAST)
-
Software Composition Analysis (SCA)
Tool Binary integrity
The Collector Desktop Application tool security process ensures binary integrity on download site by verifying the checksum to ensure the tool is not altered. The Windows bundle of Collector is now digitally signed to confirm the software author and guarantee that the code has not been altered or corrupted.
Web Service Security
The Collector Desktop Application uses strong web service security with HTTPS protocol for data transfer and the following secure information gathering protocols:
-
For vSphere Server and Prism - Hypervisor provider supported APIs.
-
For Hyper-V
-
PowerShell cmdlets through WinRM protocol for remote mode of connection.
-
Systems APIs for local mode of connection.
-
Generated Data control
The Collector Desktop Application tool collects the data shared by the hypervisors APIs while providing the users with full authority to review and modify the data before it is shared.
Data confidentiality
Utmost importance is given to the data confidentiality of the data collected by the Collector Desktop Application. The tool uses asymmetric key encryption with 2048-bit RSA and AES-256 encrypted zip files.
Credential Integrity
As part of the security process for Collector Desktop Application, the server credentials entered by user while logging into the tool are never persisted. The credentials are encoded not only during the communication within the different components of the Collector Desktop Application but also during interface with the respective management servers.
Collector Portal
Collector Portal is a SaaS application that can consume the data collected by the Nutanix Collector Desktop application and show the collected data in the GUI - tables, charts, etc. The users also have an option to push the data to Sizer and get recommendations. Again, the Collector Portal deals with customer data and hence enough security measures have been put in place to ensure safety of environment and customer data. Collector Portal Application Security are covered under following categories as described in the sections below.
Software security testing process
Nutanix integrates security into every step of the software development process, which includes automated security testing and threat modelling to assess and mitigate customer risk from code changes.
The following security scans are performed on a daily basis as part of the CI/CD pipeline to detect and fix the vulnerabilities on priority:
-
Software Composition Analysis (SCA)
-
Static Application Security Testing (SAST)
-
Dynamic Application Security Testing (DAST)
-
Content Security Policy Testing
Additionally, the shared data is secured with mandatory authorization and cannot be accessed without the required authorization even for peer-to-peer sharing.
Datacenter and infrastructure security
The Nutanix datacenter and infrastructure security policies ensure that adequate security measures are in place to protect your data and application.
-
The Collector Portal runs in a secure private space. The public load balancer endpoint is protected by a Web Application Firewall (WAF) that provides protection against malicious requests smuggling and denial of service attacks.
-
The database runs in private space and cannot be accessed outside VPC.
-
Use identity provider supporting risk-based access control to authorize access to service infrastructure through SAML.
-
All infrastructure resources are protected by individual and unique role based access policies.
-
High value information is stored in a secure vault that runs in a private space.
-
Role-Based Access Control (RBAC) is enforced to ensure that the data cannot be accessed by anyone without explicit authorization.