Nutanix Security Development Lifecycle – Uncompromisingly Simple and Automated Security for All

Posted by on in | 706 Views | 1 Response

Security is not a product but a process“- Bruce Schneier, well renowned cryptographer and security specialist. This has been my experience. Nothing can be totally secure, it is a process of identifying and mitigating risks and of constant vigilance. The process, people and the technology are all critical elements involved with helping prevent breaches, or dramatically lower their risk, and in conducting forensic analysis after breaches to prevent them occurring again.  Many are now adopting a zero trust approach to security where east west traffic (i.e. traffic between systems) as well as north south traffic (traffic between security zones or network segments) is monitored and locked down as much as possible. But security really can’t be an after thought, it really needs to be baked in from the get go, and you need tools to help constantly monitor your configuration baselines to ensure compliance, which in the end minimizes risk. This is what brings me to Nutanix and how we approach security in our products, while keeping things uncompromisingly simple.

The best place to start baking in security to any product is during product definition, product design, and early product development, and then continuously monitoring throughout the complete product lifecycle. At Nutanix this starts with every engineer, architect and product manager and also with the Nutanix Security Engineering and Research Team (nSERT). But there is always a balancing act, and part of the charter of the nSERT team is to keep security and agility in mind. Gone are the days where you simply had a NO at the door of the security team. The charter of the nSERT organization is to invoke the most agile and comprehensive security best practices into Nutanix development culture for the benefit of all customers.

The nSERT team specialize in security development for hardening automation, tracking and trending security risks, and greatly reducing systemic platform deficiencies with a threat modeling process enforced by our Security Development Life-cycle.  They are involved right from the start, and not only bake security into the product, but also automating the assessments. They also focus on greatly reducing customer burden for compliance by providing extensive documentation on product baselines.  They are aligned closely with Quality Assurance and Support Organizations to increase agility in supporting rapid response to known vulnerabilities. The ultimate goal is to make the Nutanix platform as secure as possible, and at the same time have it be as simple as possible. Simply secure.
SecDL-22
 If you can make security easy to comply with, then more org’s will implement it, and everyone can benefit. That is why when Nutanix developed the Security Technical Implementation Guides (STIG’s for short), which is essentially a lock down guide for secure environments (especially Government) we provide them in eXtensible Configuration Checklist Description Format (XCCDF), so that the audit and compliance checks can be done automatically. This is to support the Security Content Automation Protocol (SCAP) standard. The audit process to ensure compliance and gain sign off can be completed in as little as 30 minutes on a Nutanix platform, this can take between 9 and 12 months on other platforms. Because of this automation the compliance checks can also be run more regularly and without the overhead that was once necessary.
Nutanix is also certified against industry security and compliance standards and frameworks, such as Common Criteria, NIST, FIPS, etc. Nutanix believes in doing a lot of the hard work for customers so they can become more secure, with less overhead and operational impact.
NutanixCert2
Final Word

There is a lot more to Nutanix Security than what I’ve described briefly here, including technical features like cluster lockdown mode, two-factor authentication, data at rest encryption etc. I would encourage you to read up more about security in a Nutanix environment, which is suitable for all customers, not just the government and large enterprise organisations. The more people that can implement secure systems easily the more benefit for everyone. Nutanix believes it has created one of the most comprehensive product security frameworks and certainly the most comprehensive of any hyper-converged vendor, whether you require STIG’s, or compliance with PCI DSS or other standards.

This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com. By Michael Webster +. Copyright © 2012 – 2015 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.

 

One Response

  1. NPX Link-O-Rama | vcdx133.com
    NPX Link-O-Rama | vcdx133.com at |

    […] Nutanix Security Development Lifecycle – Uncompromisingly Simple and Automated Security for All by… […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.