Secure By Default

Is hyper-converged infrastructure (HCI) more secure than traditional infrastructure? Yes, or at least it has the opportunity to be. Traditional solutions, including converged infrastructures are ‘stuck’ in baselines, because a third party has to “approve” changes made to the baseline – which can take months to years. That leaves a traditional infrastructure open to every publicly known attack vector announced for any script kiddie to attack your preciously secured legacy baseline. Hyper-converged solutions can and do supply updates much faster to significantly reduce the threat landscape – because they are not concerned with the vast complexities of interoperability challenges updating software versions present in traditional solutions.

Traditional solutions are nothing more than integrated hodgepodge of independently developed products integrated together, think VCE or FlexPod. Security best practices are forced to be laxed because of interop, weakening the design. Hyper converged solutions are developed together, and as such, can be/are developed to be much more secure than traditional solutions will ever be as they act as a single software platform, not integrated by a third party with no access or modification of the source code of the duct taped integration.

Does that mean all HCI are same? No. Nutanix has taken great strides to lead with security. While I wasn’t close to the deal I can almost bet my years wage that the FBI selecting Nutanix for VDI had lots to do with security. The issues mentioned to above are in large part taken care of Nutanix’ Security Development life-cycle (SecDL) and the automated Security Technical Implementation Guides STIGs. SecDL and the automated STIGs set Nutanix apart from any other HCI vendor.

The newly written Security Tech Note from Nutanix goes thru the SecDL and what the STIGS have to offer customers. The ability to shrink a time consuming process from months to minutes in both development and hardening is helping to keep Nutanix customers secure from emerging threats that have no signs of slowing down.

Please read the Security Tech Note and let me know what you think.

< Download here >

< Video on KVM security automation >


Nutanix Acropolis – Hypervisor STIG – Don’t make security a point in time.

See Nutanix’s self-healing hypervisor STIG using SaltStack Automation behind the scenes.

< Download The Nutanix Security Tech Note here >


Nutanix On Security – It’s A Lifestyle Choice

Security has always been top of mind at Nutanix. NOS 4.1 has a ton of new security security features but it’s not like one day we decided we said are going to get good at this “Security” thing. Nutanix made great strides early on to tighten the ship to provide the most secure platform for it’s customers. NOS 2.6 -> NOS 3.0 the core operating system moved from Unbuntu to CentOS. The upgrade process was a rolling upgrade with no downtime which is kind of a marvel in it’s self.

Moving all pieces of Dev/Development to CentOS had lots of benefits but Simon Mijolovic explains the top drivers of the initiative.

1. Ubuntu is not 100% RHEL binary compatible. That’s very important when you are dealing with the time, cost, and complexity of FIPS validation. With CentOS we can easily make FIPS assertions, and as long as we didn’t change any code of the crypto APIs/library, we had a plan that didn’t require major investment.

2. Ubuntu was designed as a desktop OS, but CentOS was designed as a server architecture. While Ubuntu has made strides to transition to a server architecture, it’s still missing some core security features that come natively with CentOS that make it enterprise ready.

3. RHEL binary compatibility and their security focus is well known to our customer base – comfort factor with ways to protect the architecture vs uphill battle of arguing our choice.

4. Third party support is troublesome to our customer base and partners. Customers can buy a support contract for CentOS directly from RedHat.

There are a lot of reasons why the choices was made – the reasons above were at the top of the list.

The other point to make is that saying your platform is secured and or trusted is not a good thing, it would put us in the crazy camp. Nothing is 100% secure, and you can’t 100% trust anything. Our approach makes no claims to a level of “secured” or “trusted”. It just claims we harden our design at every level to a detail that is disgusting but automated. Saying your system is 100% secure is wishing evil things upon you like the Sands Casino attack.

Security is a lot like dieting, you need to make the lifestyle choice for the long term or you end up on yo-yo diets and you’ll never really get anywhere.

Secure platforms - For how long?

Secure platforms – For how long?

Stay safe and harden up those abs 🙂

Other articles

Nutanix Security Tech Note

Secure by Default