Nutanix STIG’s for Automated Security and Compliance

Posted by on in , , , | 7,918 Views | Leave a response

Security is in our DNA at Nutanix. A significant proportion of our business is from sectors of industry that care deeply about security, including Federal Government, State Government, Local Government, Financial Services, Healthcare, Retail and more. This is why we build in security as an automated part of every configuration and deployment and by default it is on, and it is continuously monitored for compliance against the security baselines and Security Technical Implementation Guides. Unlike some vendors in the HCI space Nutanix doesn’t just have a single STIG, we apply multiple STIG’s, automatically, and continuously verify against them. But what is this STIG anyway?

The description of what STIG’s are is available on the Defense Information Systems Agency, Information Assurance Support Environment web site and I quote:

“The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.”

Not only are these used by the US Federal Government and Department of Defense however, they are also the security configuration standard for many industries that are concerned about security. They can be incredibly comprehensive and run to many hundreds of pages of configuration details. Often each item in a STIG needs to be evaluated independently and the combinations of security settings needs to be tested to ensure they apply the correct hardening, but also do not break the required functionality.

When Nutanix decided to develop our STIG frameworks we decided to do everything in machine readable format to make it easy to maintain, and so that our software could automatically configure itself to a hardened standard. Nutanix automates the regular health-checking of the applied STIG, and if it’s not compliant, will reapply the baseline settings. Once the system is deployed it is hardened, it remains so after deployment, reducing the risk of mis-configurations by system admins. This saves our customers from all the manual configuration and potentially months of testing that comes with a manual process. Reducing latency, from deployment to production ready hardened system, is important when you want to have security as well as agility and lower cost of ownership.

Each component of the Nutanix Enterprise Cloud Platform is covered by the relevant STIG’s. This includes Nutanix AHV, as well as the Nutanix Controller VM, Prism Central VM(s) etc.

Let’s first cover the Nutanix Controller VM, Nutanix AHV Hypervisor and Prism Central VM’s. The base STIG that covers all of these main components is the Linux OS SRG or STIG (AHV/AOS up to 5.5). Prior to AHV/AOS 5.5 Nutanix had a more comprehensive custom STIG implementation than standard RedHat Linux v6 due to our user space design. From AHV/AOS 5.5+, Nutanix implements the RedHat Linux v7 STIG, these can be found under the Unix/Linux STIG Index and on the Nutanix Support Portal.

Next the individual components within the above Nutanix components are also covered by individual STIG’s or SRG’s. These include things such as Webserver’sApache, Application Server’sTomcat (Application Server SRG), and Java/JRE.

A full list of the available STIG’s from A – Z is available here. Sunset product STIG’s and SRG’s are available here.

If you are running VMware as a hypervisor on top of Nutanix you should evaluate the VMware Specific STIG’s, covering vCenter and vSphere. For a Windows vCenter Server you will need to apply the Windows STIG in addition to the vCenter STIG. For the vCenter Database you will need to apply the Windows or Linux STIG, in addition to the database STIG. All STIG’s would need to be applied correctly and tested. Be aware not all VMware products are covered by STIG’s, and not all products comply with the relevant STIG’s. You should seek specific advice from VMware if you have any concerns. If you are running Microsoft Hyper-V on top of Nutanix you should evaluate the Microsoft Windows STIG’s.

Final Word

In the age of increased cyber attacks and data breaches security is critical. You can choose to have manual hardening process and significant testing effort, or you can choose the Nutanix approach with automation, continuous compliance testing and reporting. Vendors should provide secured systems by default so it doesn’t take months to get to a production standard. This is the Nutanix philosophy.

 

This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com. By Michael Webster +. Copyright © 2012 – 2017 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.