Throughout the Nutanix Benefits series, you’ve learned about the versatility, efficiency, and resiliency of the Nutanix Cloud Platform. The series highlighted unique characteristics of the Nutanix architecture that enable high performance and resiliency even at scale. Combined with enterprise grade replication and disaster recovery, Nutanix provides customers with a compelling platform that provides freedom of hypervisor choice and license portability. In addition, you saw how Nutanix provides Integrated self-service database management and fully unified storage to meet your application needs with a single platform. All these benefits are important but none of them matter if the platform or data on it isn’t secure, especially when security is arguably the most important thing to enterprises.
Nutanix takes security seriously with a layered approach encompassing the platform, the data, and finally your applications. Let’s focus on what matters the most to you, data security. We’ll cover platform and application security briefly but that needs a separate series altogether!
Platform Security
Security starts with our development lifecycle using the security development lifecycle (SecDL) processes.
Nutanix also maintains a security baseline with secure configuration management and automation (SCMA) automatically inspecting and reverting any changes that don’t match our security baseline.
Application Security
Next we secure your applications with Flow Network Security and Security Central to prevent and detect threats at the network level.
These elements are critical for creating, implementing, and monitoring the security policies and posture of all of your essential applications.
Data Security
Data is the key asset of any organization and must be protected. Maybe your data contains sensitive intellectual property, or maybe you hold customer data and must pass regulatory scrutiny. Whatever your needs, Nutanix makes it easy to protect your data.
Nutanix Unified Storage provides security through Data Lens to detect anomalies and protect against ransomware. More on Nutanix Unified Storage capabilities can be found here:
Nutanix Benefit 9: Fully Unified Storage
Data-at-rest encryption (DaRE) also plays a big part in your security strategy.
While you need high performance and highly available access to your data, you also need to make sure ONLY YOU have that access. With the ever increasing threats to data, you need to take a defense in-depth, Zero-Trust approach to security. This means securing all relevant attack surfaces to prevent unauthorized access and exfiltration of data, allowing your organization to maintain data integrity and confidentiality. While this may seem like a common sense approach, many organizations leave critical areas exposed due to a lack of insight, lack of budget, or simply a lack of risk awareness. These exposures can lead to catastrophic breaches and loss of data. You typically find firewalls providing edge security, VPNs and encryption securing data-in-flight, even Endpoint security protecting our host and users, but what about data storage? The data storage medium is an at-risk element that often gets overlooked, yet data-at-rest has much more value to a malicious actor.
To put this into perspective let’s compare a man in the middle attack to a malicious actor getting hold of a storage element like a hard drive.
In a Man-in-the-Middle attack, the actor must intercept the data-in-transit (they hope it’s not encrypted), replay the data stream, and hope they have captured enough data to allow them to reassemble the data and take some malicious actions.
With unauthorized access to, or nefarius acquisition of, the storage element, all of the data is there for the attacker in one spot. Once they have the unprotected disk, they have the data. This is something that can occur during equipment recycling, retiring old servers or returning failed drives. The consequences can be disastrous for an organization, and even have legal ramifications. Imagine that data containing client PII (personally identifiable information). Headlines show this scenario isn’t fictional.
DaRE easily helps mitigate this risk with minimal overhead.
Data-at-Rest Encryption (DaRE)
Data-at-Rest Encryption is exactly what it sounds like, the encryption of data where it is stored.
Nutanix provides robust DaRE capabilities that can save time and reduce complexity. We enable our customers to choose how they would like to encrypt their data and provide flexibility to choose which data actually gets encrypted. Let’s look into the details of these capabilities.
This is the most popular option as it’s the most economical and does not compromise security. Nutanix native software encryption uses the AES-256 standard also used in self-encrypting drives (SEDs), allowing customers to achieve their security requirements without incurring the price premiums of SEDs. Thanks to the Nutanix software-based native key manager no expensive external key management platform is required either.
Check out the full list of options in the figure below for the different types of storage media and key management.
Nutanix is well known for giving customers choice and flexibility when it comes to deploying your Nutanix Cloud Platform. These choices run the gamut from hardware to hypervisor. We provide that same level of flexibility when it comes time to choose how to secure data using DaRE based on your desired level of protection.
Options for applying DaRE
Data-at-Rest Encryption can be applied in a few different ways. This allows choice on encrypting the entire cluster, just the storage containers, or even selecting specific VMs to encrypt.
Applying encryption at the storage container allows for encrypted and unencrypted containers within the same cluster. Some external key managers are licensed by the amount of data being encrypted. Choosing only specific, necessary storage containers may help curtail cost rather than encrypting the entire cluster. Another significant benefit of encrypting at the storage container is the ability to have different encryption keys for each storage container. This can be especially useful in a multi-tenant environment, where each tenant could have their own container.
Storage Policies for Encryption
Storage policies in AHV are the newest option, and are the most flexible (and coolest) when deploying DaRE. Storage Policies in Prism Central give you the ability to apply storage parameters such as encryption to a VM or set of VMs by category. A storage policy uses categories that associate a VM or groups of VMs to the policy. Instead of encrypting the entire cluster, or the entire storage container, we now can encrypt individual VMs. Another added benefit of this method can be realized in multi-tenant environments, whether they be an MSP or an Enterprise account. We now have the ability to have different encryption keys per tenant when the tenants are in different containers. Now that truly is flexibility and choice.
Why Does This Matter?
Nutanix is built on a secure foundation with programs like our security development lifecycle, secure configuration management and automation, and data-at-rest encryption that only takes 30 seconds to enable. All the storage performance and resilience in the world mean nothing if security and integrity aren’t also first-class priorities. The security-first approach helps Nutanix customers achieve their desired security objectives while providing easy to use and automate security features.
With this Nutanix Benefits series we hope you see why customers trust Nutanix to run their high performance, business critical applications on Nutanix. We are built from the ground up on core architecture principles that benefit your applications immediately and at scale. From a well planned distributed platform to database management, Nutanix has our customers covered with easy to use and deploy features that are also secure.
But don’t take our word for it, see for yourself. Take a Test Drive to experience the Nutanix Cloud Platform, or dive deeper into the world of security at nutanix.com/security.