venuecloudlink

DellEMCVxRail:ComprehensiveSecuritybyDesignOct2020WhitePaperAbstractVxRailtheidealplatformforITinfrastructureandsecuritytransformation,provideslayersofprotectiontokeepyourdataandbusinessapplicationssecure.
OnlytheDellTechnologiesfamilyofcompaniescanprovidethefullend-to-endsolutionsrequiredtokeepupwithtoday'sevolvingthreatlandscape.
Thisdocumentdescribesbothintegratedandoptionalsecurityfeatures,bestpractices,andproventechniquesforsecuringyourVxRailfromtheCoretotheEdgetotheCloud.
DellTechnologiesSolutionsCopyright2DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperTheinformationinthispublicationisprovidedasis.
DellInc.
makesnorepresentationsorwarrantiesofanykindwithrespecttotheinformationinthispublicationandspecificallydisclaimsimpliedwarrantiesofmerchantabilityorfitnessforaparticularpurpose.
Use,copying,anddistributionofanysoftwaredescribedinthispublicationrequiresanapplicablesoftwarelicense.
Copyright2020DellInc.
oritssubsidiaries.
AllRightsReserved.
DellTechnologies,Dell,EMC,DellEMCandothertrademarksaretrademarksofDellInc.
oritssubsidiariesOthertrademarksmaybetrademarksoftheirrespectiveowners.
PublishedintheUSA10/20WhitePaper.
DellInc.
believestheinformationinthisdocumentisaccurateasofitspublicationdate.
Theinformationissubjecttochangewithoutnotice.
Contents3DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperContentsIntroduction5SecuritytransformationbeginswithDellTechnologies5Bridgetodigitalfuture.
7BuildingtrustwithDellEMCproductsecurityprograms.
8VxRail:ThefoundationfordatacentermodernizationandITtransformation.
13DellEMCPowerEdgeservers13DellEMCVxRailHCIsystemsoftware15VMwarevSphere.
16VMwarevCenterServer17VMwareESXihypervisor17VMwarevirtualnetworking.
17VMwarevSAN17VMwarevRealizeLogInsight19VMwareCloudFoundation—includingNSX.
19VxRailsecuritycapabilities20Datasecurity20SystemSecurity.
27VxRailSTIGhardeningpackage.
30VxRailHCISystemSoftwareSaaSmulti-clustermanagementsecurityoverview31SecuritybuiltintoSaaSmulti-clustermanagement31SaaSmulti-clustermanagementdatacollection32SaaSmulti-clustermanagementdataintransittoDell.
32SaaSmulti-clustermanagementdataatrest32SaaSmulti-clustermanagementdataaccesscontrol.
33EnduseraccesstoSaaSmulti-clustermanagement.
33AdministrativeaccesstoSaaSmulti-clustermanagementinfrastructuremanagedbyDellEMCIT.
34Compatiblestandardsandcertifications.
34NISTCybersecurityFrameworkandVxRail.
36VxRailsecuritysolutionsandpartners37IdentityandAccessManagement.
38SecurityIncidentandEventManagement.
38Keymanagementserver.
38Othersecuritypartners38Contents4DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperConclusion.
39References.
40Introduction5DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperIntroductionAcrossallindustries,organizationsaremodernizingandtransforminghowtheyoperateanddeliverdifferentiatedproductsandservices.
Wheredataresides,howitisaccessed,andthenumberofdevices,fromCoretoEdgetotheCloud.
SecuritywillalwaysbeapartofIT,focusingonauthentication,firewalls,compliance,andcybercriminals.
Securityisnolongerasetofprojectsbutacontinuouslifecyclethatrequiresconstantreviewandanalysis.
DellTechnologiesbelievessecurityneverslowsyoudownandinsteadacceleratesinnovation,allowingyoutothinkinnew,strategicwaysandseizetheopportunity.
DellEMCVxRailprovidesthefastestandsimplestpathtothissecuritytransformationfromCoretoEdgetoCloud.
VxRaildeliversanagileinfrastructurewithfullstackintegrityandend-to-endlifecyclemanagementtodriveoperationalefficiencies,reducerisks,andenableteamstofocusonthebusiness.
AdoptionofVxRailsystemsthatbreakdownoperationalsilosandenablecontinuousinnovationthroughrapidprovisioninganddeploymentofworkloadsresultsinsignificantcostsavingsandoperationalefficiencies,enablingITorganizationstodrivebusinessopportunitiesratherthansimplysupportbusinessoperations.
BuiltforVMware,withVMware,toenhanceVMware,VxRailisthefirstandonlyHCIsystemjointlyengineeredwithVMwaretoeliminatetheoperationalcomplexityofdeploying,provisioning,managing,monitoring,andupdatingofVxRailHyper-convergedInfrastructure.
VxRailhassecuritybuiltinateveryleveloftheintegratedtechnologystack.
StartingwitheachprocessorandPowerEdgeserverthroughVxRailHCISystemSoftware,includingtheintegratedVMwaresoftware,securingtheCore,theEdge,andtheCloud,ensuringavailability,integrity,andconfidenceforeveryworkload-traditionalandcloudnative.
SecuritytransformationbeginswithDellTechnologiesSecurityTransformationwithinDellTechnologiesisaboutrethinkingsecurityandaccelerateinnovation.
DellTechnologiesisfocusedonsecurity,fromthecollaborationsbetweentheDellTechnologiescompaniesdowntotheproductdevelopedandreleased.
VxRailisnoexception.
Itisbuiltwiththehighestlevelsofproductsecurityassurance.
Itprovidesfullyintegratedsecuritycapabilitiesthatcanbeusedbyyourorganizationtooptimizecybersecurityresiliencyfromtheedgetothecoretothecloudtoaccelerateinnovation.
SecuritytransformationbeginswithDellTechnologies6DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperFigure1.
FromCoretoEdgetoCloudForbesreported,basedonRiskBasedSecurityresearchnewlypublishedinthe2019MidYearQuickViewDataBreachReport,iwithinthefirstsixmonthsof2019,publiclydisclosedbreacheshadseenmorethan3,800exposinganincredible4.
1billioncompromisedrecords.
Basedonthesenumbers,breachesmaysurpassthe6,515publicly-discloseddatacompromiseeventsreportedin2018bythesamecompany.
DellTechnologiescanensurethatthesecuritystrategieskeeppacewithyourmodernizationinitiativestoreducebusinessrisk.
1.
Unifysecurityprogramswithoverallbusinessrisk,soyouknowwhichrisksareworthtaking.
2.
Implementadvancedsecurityoperationsthatadapttothechangingthreatlandscapesothatyoucanrespondeffectivelytothreats.
3.
Buildaresilientmoderninfrastructurethatprotectsyourendpoints,network,applications,anddata.
4.
Relyontrustedadvisoryservicestohelpyoudesignandimplementyoursecuritytransformationprogram.
DellTechnologiesisuniquelypositionedtohelpyouaddressalloftheseareas.
Whilealayereddefensewithmultiplesecuritylevelsisrequired,theseelementsallmustworkinconcert.
Securitytransformationbeginswithacyberresilient,moderninfrastructuresuchasVxRailthathasbeendesignedandbuiltwithsecurityinmind.
Todaysevolvingthreatlandscaperequiresashiftintheapproachtopreventormitigatethesethreats.
Outdatedinfrastructureisdifficulttodefend,andpointproductsfrommultiplevendorsaddcomplexityandincreasetheriskofvulnerabilitiesthatcanbeexploited.
Thatlevelofcomplexityoffersmultiplepointsofentryforwould-bewrong-doers.
SecurityStandardandcompliancealsoneedstobeconsidered.
Thereareoftensignificantlegalandfinancialpenaltiesfornon-compliance.
Whilecostly,thosepenaltiesmayhavelessimpactonabusinessthanabreachmayhaveonthecompanysreputation;peoplearelesslikelytodobusinesswithacompanythathasbeenbreached.
PaymentCardIndustryDataSecurityStandard(PCIDSS)–protectionsforcreditcardholdersBridgetodigitalfuture7DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperGeneralDataProtectionRegulation(GDPR)–EuropeanUniondataprivacyregulationTheGermanBundesdatenschutzgesetz(BDSG)–indetaildataprotectionactSarbanes-OxleyAct(SOX)–ProtectionofsensitivedatarelatedtofinancialreportinginpubliccompaniesGramm-Leach-BlileyAct(GLBA)–Protectionofnonpublicpersonalinformation(NPPI)inthefinancialservicesindustryHealthInsurancePortability&AccountabilityAct(HIPAA)–ProtectionofelectronicpatienthealthcaredataandinformationCaliforniaConsumerPrivacyAct(CCPA)-enhanceprivacyrightsandconsumerprotectionforresidentsofCalifornia(signedintolaw6/28/2018)DellTechnologiesbelievesthatSecurityTransformationisabouthavingatrustedpartner.
Apartnerthathelpsmanagedigitalriskprovidemanagedsecurityservicesandbringsexpertise,services,solutions,andproductsthatsecurethefullstack,frominfrastructuretoapplications,andstreamlineoperations,makingsecurityanessentialpartofthebusinessstrategy.
DellTechnologiesisatrustedsecuritypartnerforsecuritytransformation.
Whetherthefocusisonendpoints,datacenters,developers,identities,securityoperations,cloud,orvirtualization–securityneedstobeend-to-end,andDellTechnologiescanhelp.
Wecanhelptacklesecurityandbusinessrisk,handlesecuritybreaches,recoverfromaransomwareattack,andbuildsecureapplications.
Securitymeansdifferentthingstodifferentpeople–somebad,somegood.
However,nomatterwhatitmeans,DellTechnologieswantsorganizationstotakeusonthejourneywiththem.
BridgetodigitalfutureWeareatthemomentwhereITisbeingusedmorethanevertosolvebusinessproblems.
Organizationsaredoingthisbyimplementdataanalytics,artificialintelligence,newapplications,andsmartdevicestogenerateenormousamountsofdata.
Thisdatadrivesactionableinsightsanduniquecompetitiveadvantages.
Despitethis,manyorganizationsstilllackacleardigitalvisionandstrategy;theyuseoutdatedtechnology,creatingconstraintsandacultureresistanttochange.
Withoutaproperplan,riskandsecurityoenbecomeanaerthoughtorsimplyneverapartofthebroaderstrategydiscussion.
Atthispivotalpointintechnology,thisreactivewayofdoingbusinesscannolongerstand.
Toaccelerateinnovationandrealizethepotentialoftheirdigitalfuture,organizationsmustrethinkhowtheyunderstandsecurityIntheITworld,securitycanbeviewedmoreasanobstaclethananacceleratorofpositivechange.
Day-to-day,thejobcanbethankless,andmanagementmayhaveadicultyseeingareturnontheirinvestment.
Securitystamustmanagemountingthreats,complicatedsystems,andmaintainaworkingknowledgeofanever-changinglandscape.
Theseeminglydailybarrageofcyberattacksonthenewsonlyexacerbatesthisstress,asdoesthesinkingfeelingthateverythingyourorganizationownscouldbelostinasecond.
Butsecuritydoesnotneedtobethiswroughtwithfearandfrustration.
Securityhasalwayssoughttobemorepositive,tobemoreproactive,butthisisonlypossiblewiththerightmindsetandtechnology.
WecannotkeepthinkingofsecurityandBridgetodigitalfuture8DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperriskaswehaveinthepast.
Toputthisshiinperspective,thinkaboutacar'sbrakes.
Initially,youmaybelievethatbrakesonlyservetoslowyoudown,butbrakesalsoenableyoutogofaster.
Theygiveyouthecondencetoacceleratewhilepreparingyoufortheobstaclesandroadahead.
Securityandriskalsoneedtobeseenasacceleratorsfortheorganizationsandnotsomethingthatslowsyoudown.
DellEMCbeganformulatingitsproductsecuritypoliciesin2002whenthecompany'sfocusshiftedfrombeingprimarilyastoragehardwarevendortoanenterprise-classsoftwareprovider.
Thecompanyrolledoutitsvulnerabilityresponseprogramin2004andestablishedacompany-wideProductSecurityPolicyin2005.
ThepolicyenactsbroadbutclearsecuritystandardsencompassingthecompleterangeofDellEMCproducts.
Thispolicywascontinuouslyupdated,andin2007,itwasintegratedintothecompany'snewSecurityDevelopmentLifecycle(SDL).
SDLinstilledaseriesofmeasurableandrepeatablesecuritypracticesintoeverystepofproductdevelopmentanddeployment.
In2012,thecompanyalsoformalizedasupplychainriskmanagementprogramtoextendsecuritypracticestoDellEMC'ssuppliersofproductcomponents.
DellEMCcontinuestoevolveitsproductsecurityprogramsattheleadingedgeofindustrystandardsandprocesses.
WithVxRail,DellEMCcontinuesitscommitmenttosecurity.
VxRaildevelopmentlifecyclefollowstheDellEMCProductSecuritydevelopmentprocessandSecurityDevelopmentLifecycleoverlay.
TheDellEMCSecurityDevelopmentLifecyclefollowsarigorousapproachtosecureproductdevelopmentandinvolvesexecutive-levelriskmanagementbeforeproductsareshippedtomarket.
Additionally,VMwarevSphereisasignificantpartofVxRailhyper-convergedinfrastructurethathasalsobeendevelopedusingasimilarSecurityDevelopmentLifecycle.
SecureDevelopmentLifecycleTheDellEMCSecureDevelopmentLifecycle(SDL)outlinesthesetofactivitiesrequiredthroughouttheproductlifecycletobuildsecurityresiliencyandconsistentsecuritycapabilitiesintotheproductsandtorespondtoexternallyreportedsecurityvulnerabilitiespromptly.
Alignedwithindustrybestpractices,theSDLisbasedonasetofcontrolsthatareimplementedbytheproductR&Dorganizations.
ThefollowingfigureshowssomeofthetypicalactivitiesperformedaspartoftheSDL.
Figure2.
DellEMCSDLActivitiesBuildingtrustwithDellEMCproductsecurityprogramsBridgetodigitalfuture9DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperSecuritychampionsdrivetheimplementationandvalidationofthesecontrolswithintheproductR&DorganizationsthatworkinclosecollaborationwiththeProductandApplicationsSecurityStandards.
ThefollowingfigureillustrateshowtheseSDLactivitiesmapontoatypicalAgilelifecycle.
Figure3.
SDLandaTypicalAgileLifecycleThescorecardisamechanismusedthroughoutDellEMC'sbusinesstocapturethesecuritypostureofaproduct/solutionwhenitreachesitsreleaseDirectedAvailability/GeneralAvailability(DA/GA)date.
SecuredevelopmentDellEMCscomprehensiveapproachtosecuredevelopmentfocusesonminimizingtheriskofsoftwarevulnerabilitiesanddesignweaknessesinproducts.
Thiscomprehensiveapproachtosecuresoftwaredevelopmentgoesacrosspolicy,people,processes,andtechnologyandincludesthefollowing:DellEMCproductsecuritypolicyisacommonreferenceforDellEMCproductorganizationstobenchmarkproductsecurityagainstmarketexpectationsandindustrybestpractices.
DellEMCengineeringteamsareasecurity-awareengineeringcommunity.
Allengineersattendarole-basedsecurityengineeringprogramtotrainonjob-specificsecuritybestpracticesandhowtouserelevantresources.
DellEMCstrivestocreateasecurity-awarecultureacrossitsentireengineeringcommunity.
DellEMCdevelopmentprocessissecureandrepeatable.
SDLoverlaysstandarddevelopmentprocessestoachieveahighdegreeofcompliancewiththeDellEMCproductsecuritypolicy.
DellEMCdevelopmentteamsbuildonbest-in-classsecuritytechnologies.
DellEMChasdevelopedasetofsoftware,standards,specifications,anddesignsforcommonsoftwaresecurityelementssuchasauthentication,authorization,auditandaccountability,cryptography,andkeymanagementusingstate-of-the-artBridgetodigitalfuture10DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePapertechnology.
Whereappropriate,openinterfacesareused,allowingintegrationwithcustomers'existingsecurityarchitectures.
DellEMC'sSDLoverlayssecurityonstandarddevelopmentprocessestoachieveahighdegreeofcompliancewiththeDellEMCproductsecuritypolicy.
TheDellEMCSDLfollowsarigorousapproachtosecureproductdevelopmentthatinvolvesexecutive-levelriskmanagementbeforeourproductsareshippedtomarket.
TheSDLispartofabroadersetofprocessesthatexistwithinthesecuredesignstandard.
ThesecuredesignstandardisthebenchmarkforbuildingsecurityintoDellEMCproducts.
Thestandardrelatestothesecurityofallproductfunctionalityanddescribesmandatorysecurityfunctionality,whichmustbebuiltintoanyproductdeliveredbyDellEMCtocustomers.
ThisstandardenablesDellEMCproductsto:Meetcustomersrigoroussecurityrequirements,Helpcustomersmeetregulatoryrequirements,suchasPCI,HIPPA,etc.
,MinimizetheriskstoDellEMCproductsandcustomerenvironmentsfromsecurityvulnerabilities.
SourcecodeprotectionidentifieshowtoproperlysecureDellEMCengineeringsystemsthatcontainsourcecodetoproduct-relatedintellectualpropertyandensuretheintegrityofproductsdeployedtocustomerenvironments.
DellEMCvulnerabilityresponseSecurityvulnerabilitiesinanysystemcomponentcanbeusedbyattackerstoinfiltrateandcompromisetheentireITinfrastructure.
Thetimebetweentheinitialdiscoveryofvulnerabilitiesandtheavailabilityofafixbecomesaracebetweentheattackersandthedefenders.
AtoppriorityforDellEMCistominimizethistimegaptoreducerisk.
TheDellProductSecurityIncidentResponseTeam(PSIRT)isresponsibleforcoordinatingtheresponseanddisclosureforallexternallyidentifiedDellEMCproductvulnerabilities.
ThePSIRTprovidescustomerswithtimelyinformation,guidance,andmitigationstrategiestoaddressthreatsfromvulnerabilities.
AnyonecannotifyDellofpotentialsecurityflawsinitsproductsthroughthecompany'swebsiteorbyemail.
Everynoticeisinvestigated,validated,remediated,andreportedaccordingtoindustryguidelines.
Dellreleasesinformationaboutproductvulnerabilitiestoallcustomerssimultaneously.
Thecompany'sadvisoriesidentifytheseverityofvulnerabilitiesandspreadtheinformationusingmultiplestandardizedreportingsystems.
Liketherestofourproductsecuritypractices,Dell'sdisclosurepolicyisbasedonindustrybestpractices.
SupplychainriskmanagementSuccessfulproductsecurityprogramsarecomprehensiveandextendtooutsourcedcomponentsandsoftware.
Integritytestswithinthesupplychainareanessentialcomponentofbuildingandpreservingtrust.
DellTechnologieshasaformalSupplyChainRiskManagementprogramthatensuresthehardwarecomponentsusedinthecompany'sproductsoriginatefromproperlyvettedsources.
Supplychainsecurityisdefinedasthepracticeandapplicationofpreventiveanddetectivecontrolmeasuresthatprotectphysicalassets,inventory,information,intellectualBridgetodigitalfuture11DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperproperty,andpeople.
Addressingphysical,information,andpersonnelsecurityhelpsprovidesupplychainassurancebyreducingopportunitiesforthemaliciousintroductionofmalwareandcounterfeitcomponentsintothesupplychain.
Dell'sSupplyChainRiskManagementframework(below)mirrorsthatofthecomprehensiveriskmanagementframeworkoftheNationalInfrastructureProtectionPlan(NIPP),whichoutlineshowgovernmentandtheprivatesectorcanworktogethertomitigaterisksandmeetsecurityobjectives.
Dell'sframeworkincorporatesanopenfeedbackloopthatallowsforcontinuousimprovement.
Riskmitigationplansareprioritizedandimplementedasappropriatethroughouttheentiresolutionlifecycle.
Thefollowingfigureillustratesthesupplychainriskmanagementprocess:Figure4.
DellsupplychainriskmanagementprocessIndustrycollaborationtoimproveproductsecurityDellTechnologiesbelievesacollaborativeapproachisthemostefficientandeffectivewaytodealwithsecuritythreatsthatcontinuouslyemergeandcanquicklyspreadamongorganizationsthroughtoday'sdenselyinterconnectedsystems.
Consideringtheheightenedrisks,technologyprovidersmustsetasidetheircompetingaimsinthemarketplacewhenitcomestoproductsecurity.
NosinglevendorcansolveallITproductsecurityproblemsbyitself.
ITsecurityisacollective,collaborativeendeavor.
DellTechnologiesbelievescollaboratingwithothercompaniesisessentialtoensuringthatthemarketplaceremainsavenuewhereeveryonecanflourish.
HavingspentdecadesinproductsecurityhashelpedDellTechnologiesestablisharichhistoryofsuccessfulimprovementsandinsights.
Thecompanyopenlyshareswhatithaslearnedwithitscustomers,peers,andpartners.
DellTechnologiesunderstandsacustomer'sITsystemmaynotrunsolelyonDellTechnologiesproducts,sowe'recommittedtoimprovingtheecosystem'ssecuritywhereveraproductoperates.
Thatmeansbeinganactiveparticipantandapositivecontributorthroughouttheindustry.
DellTechnologieslongcommitmenttoadvancingproductsecurityhascreatedanobligationtoassistandpromotenewerindustrymembers.
Thecompany'sproductBridgetodigitalfuture12DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePapersecurityleadersfacilitatetheopenexchangeofideasatconferences,throughblogposts,andinothersocialandformalvenues.
ParticipationinindustryproductsecuritygroupsDellTechnologiesisactiveinproductsecuritygroups,whereitbothlearnsandteachesprogressivebestpracticesandcultivatesasenseofcommunalresponsibilityforproductsecurity.
DellTechnologiesindustryaffiliationsinclude:BSIMM—TheBuildingSecurityinMaturityModelevaluatestheindustry'ssoftwaresecurityinitiatives,soorganizationscanseewheretheirsecurityeffortsstandandhowtheyshouldevolve.
TheOpenGroup—This400-memberconsortiumrunsrespectedcertificationprogramsforITpersonnel,products,andservicestodesignandimproveITstandards.
TheOpenGroupworkstounderstandcurrentandemergingITrequirementsandestablishorsharebestpracticestomeetthemSAFECode—TheSoftwareAssuranceForumforExcellenceinCode,co-foundedbyDellEMC,isanindustry-ledefforttoidentifyandpromotebestpracticesfordeliveringmoresecureandreliablesoftware,hardware,andservices.
CSA—TheCloudSecurityAllianceistheworld'sleadingorganizationdedicatedtodefiningandraisingawarenessofbestpracticestohelpensureasecurecloudcomputingenvironment.
FIRST—TheForumofIncidentResponseandSecurityTeamsisarecognizedgloballeaderinincidentresponse.
DellPSIRTisaFIRSTVxRailteammember.
VxRail:ThefoundationfordatacentermodernizationandITtransformation13DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperVxRail:ThefoundationfordatacentermodernizationandITtransformationTowintheraceagainstthecontinuallyevolvingsecuritythreatlandscape,VxRailhastheadaptabilitytodefendagainstcurrentandfuturethreats.
VxRailisbuiltonthecurrentgenerationofDellPowerEdgeserversandthelatestprocessorstechnologiesthatprovidesasecureplatformandflexibleconfigurationoptions.
vSphereprovidesstorageandservervirtualization.
Asworkloadrequirementsgrow,VxRaileasilyscales.
Asregulationschange,VxRailflexibleconfigurationoptionsenableittoquicklyadaptVxRailcanhelpyourorganizationoptimizecyber-resiliency,managerisk,andmeetcompliancerequirementsnomatterwhatindustrysectoryourorganizationisoperatingin.
VxRailistheonlyfullyintegrated,pre-configured,testedhyper-convergedinfrastructurethatispoweredbyVMwarevSAN.
WhetherVxRailisdeployedinthedatacenter,attheedge,oraspartofahybridcloudsolution,VxRailprovidesasimpler,better,andmoresecuredeliveryofbusiness-criticalapplications,VDI,andremoteinfrastructure.
VxRailenablesDellEMCtoprovidethecustomerwiththecapabilitiesneededtooptimizecyberresiliencyacrossyourentiredeployment.
ThefollowingfigureillustratessecuritybuiltintoVxRail:Figure5.
SecuritybuiltintoVxRailVxRailisbuiltontopoftheDellPowerEdgeserverplatformwithembeddedhardwareandsystem-levelsecurityfeaturestoprotecttheinfrastructurewithlayersofdefense.
Breachesarequicklydetected,allowingthesystemtorecovertoatrustedbaseline.
DifferentiatedsecurityfeaturesinPowerEdgeserversinclude:Systemlockdownpreventsunauthorizedorinadvertentchanges.
Thisindustry-firstfeaturepreventsconfigurationchangesthatcreatesecurityvulnerabilitiesandexposesensitivedata.
Thecyber-resilientarchitecturewithfeaturessuchasUEFISecureBoot,BIOSRecoverycapabilities,andsignedfirmwareprovidesenhancedprotectionagainstattacks.
DellEMCPowerEdgeserversVxRail:ThefoundationfordatacentermodernizationandITtransformation14DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperTheserverlevelSystemErasefeatureensuresprivacybyquicklyandsecurelyerasingalluserdatafromthedriveandallnon-volatilememorywhenaserverisretired.
DellEMCPowerEdgeserversarethecriticalhardwarethatmakesupthenodesinaVxRailcluster.
TheCPU,memory,anddiskresourcesoneachnodeprovidethepooledresourcesforthecluster,andthenetworkinterfacesprovideconnectivity.
Therefore,thesecureDellEMCPowerEdgeserversarethefoundationforVxRailsecurity.
PowerEdgeservershaveanintegratedremoteaccesscontroller,referredtoasiDRAC.
iDRACusessecurecommunication,authentication,androle-basedaccesscontrolstoenablesecureremotemanagementandconfigurationofthephysicalsystem.
Withconfigurablealerts,iDRACcansendeventinformationtoyourSecurityIncidentandEventManagement(SIEM)systemwheneverthehardwareisaccessed,ortheconfigurationischanged.
DetectingandreportingunauthorizedchangesprotectstheintegrityofaVxRail.
Formoreinformation,seeCyberResilientSecurityin14thGenerationofDellEMCPowerEdge.
PowerEdgeserversusecryptographicallysignedandverifiedfirmwaretobuildasystemoftrust.
Leveragingsecuritytechnologiesbuiltrightintothesilicon.
CapabilitieslikeIntel'sTrustedExecutionTechnology(TXT)verifythattheserverexecutesonlytheintendedversionoffirmware,BIOS,andhypervisorwhilepreventingtheundetectedintroductionofmalware.
Thefollowingfigureillustratesthehardwarerootoftrust:Figure6.
HardwareRootofTrustVxRailcanachieveevenhigherprotectionlevelsofserverintegritybyconfiguringthenodeswithanoptionalTrustedPlatformManagement(TPM)module(TPMv1.
2andv2.
0).
TPMisaninternationalstandardforsecurecryptoprocessors,adedicatedmicrocontrollerthatisdesignedtoprovidehighsecurityforcryptographykeys,andanoptionforallVxRailnodes.
VxRail:ThefoundationfordatacentermodernizationandITtransformation15DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperVxRailHCIsystemsoftwareisthefoundationforthevaluedifferentiatingthecapabilitiesofVxRail.
Fromaninfrastructurestackperspective,themanagementsoftwarerunsontopoftheVMwaresoftwareandthePowerEdgeservertoallowVxRailtoactasasingularunifiedsystem.
Figure7.
VxRailHCIsystemsoftwareContinuouslyValidatedStates—VxRailrunsonpre-testedandvalidatedsoftwareandfirmwarefortheentireVxRailstack,includingtheVMwaresoftwareandPowerEdgeservercomponents.
VxRaillifecyclemanagementcapabilitiesensurethatVxRailclustersarerunninginthatknowngoodstatethroughoutitsentirelifecycleastheclustergoesthroughcontinuouschangestotakeadvantageofthelatestVMwaresoftwareinnovation,securityfixes,orbugfixes.
Theterm"ContinuouslyValidatedStates"encapsulatestheconfigurationstabilitydeliveredbyVxRailclusters.
ElectronicCompatibilityMatrix—Withallthesedifferentsoftwareandhardwarecomponentsinthestack,VxRailteamiscontinuouslytestingandvalidatingagainsttheentirestacksothatwhateverdesiredstatetheuserdeterminesfromtheVMwarecompatibilitymatrixhasbeenvalidatedasaContinuouslyValidatedState.
Inaddition,VxRailreferstothismatrixtoensuretheclusterconfigurationstaysincompliance.
ThesebenefitsdrasticallyreducethetestingeffortandresourcesacustomerwouldneedtoinvestwhilealsogivingthecustomerthepeaceofmindthattheyneedtopredictablyandsecurelyevolvetheirVxRailclusterswithoutimpactingapplicationworkloads.
Ecosystemconnectors—InordertobuildanextensiveElectronicCompatibilityMatrix,VxRailneedstobeabletocommunicatewithecosystemmembersinthestack,whichincludesvSphere,vSAN,vCenter,andthePowerEdgeserverandmultiplehardwarecomponentswithin.
TheconnectorsallowVxRailtoknowthesoftware/firmwareversionsrunningineachcomponentandlifecyclemanagethosecomponents.
TheautomationandorchestrationcapabilitiesenableVxRailtobemanagedasasingularunifiedsystem.
VxRailManager—TheprimarymanagementuserinterfaceforVxRailisthevCenterplugin-incalledVxRailManager.
VxRailuserscanperformanyVxRailactivitythroughthisinterface,includinginitialclusterconfiguration,monitoringhardwarecomponents,performinggracefulclustershutdown,expandingtheclusterbyaddingnodes,andupdatingVxRailHCISystemSoftware.
ItprovidesafullyintegratedvCenterexperience.
VxRailManagerFIPS140-2Level1—AspartofFIPS140-2Level1compliance,VxRailhasaddedthefollowingupdatestoVxRailManagervirtualapplianceasofVxRail7.
0.
010release.
DellEMCVxRailHCIsystemsoftwareVxRail:ThefoundationfordatacentermodernizationandITtransformation16DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperVxRailManager-ImplementedFIPSvalidatedcryptomodulesinVxRailManagertoprotectdata-in-transitVxRailManager-FIPSmodeenabledinVxRailManagerOSVxRailManager–LockboxusingFIPScertificatealgorithmencryptedstorageofkeysandcredentialsSaaSmulti-clustermanagement—AsenhancementsaremadetoimproveVxRaillifecyclemanagementexperience,muchofitwilldependontheanalyticalcomputingcapabilitiesinSaaSmulti-clustermanagementGlobalOrchestration.
ThroughtheadvancedtelemetrythatHCISystemSoftwaregathersaboutVxRailclusters,SaaSmulti-clustermanagementisusedtodeliverAI-driveninsightsthatwillallowuserstoproactivelymanagetheirclusterstoimproveperformanceandavailability.
AI-driveninsightsarealsodrivingmoreactivemulti-clustermanagementcapabilities,whichisanareawhereHCIuserswillhaveanincreasinginterestastheyexpandtheirHCIfootprint,andmanagementatscalebecomesanecessity.
RESTAPIs—VxRailbenefitsforlifecyclemanagementideallypositionsVxRailastheinfrastructureplatformofchoiceasthefocusonsimplifyingIToperationsplaysacriticalroleinallowingITteamstofocusoncloud-basedITservicedeliverymodels.
MakingVxRailplatformextensibleviaAPIsenablescustomerstobuildontopofinfrastructure-as-a-servicesolutions.
APIsalsoallowmanagementatascalethatcanbenefitcustomerswithalargenumberofVxRailclustersdeployedinvariouslocationsandhavechosenin-housescriptedsolutionstomanageatscale.
SupportRemoteServices—SupportexperiencecanalsobeacriticalfactorinchoosingthecorrectHCIsolution.
VxRailprovidessinglevendorsupportforVMwaresoftware,PowerEdgeserver,andVxRailsoftwarethroughDellTechnicalSupport.
VxRailsupportincludesDellEMCSecureRemoteServicesforcall-homeandproactivetwo-wayremoteconnectionforremotemonitoring,diagnosis,andrepairthroughouttheentirelifecycleprocesstoensuremaximumavailability.
TheVMwarevSpheresoftwaresuiteprovidesVxRailwithahighlyavailable,resilient,on-demandvirtualizedinfrastructure.
ESXi,vSAN,andvCenterServerarecorecomponentsofvSphere.
ESXiisahypervisorinstalledonaphysicalVxRailservernodeinthefactorythatenablesasinglephysicalservertohostmultiplelogicalserversorVMs.
vSANisthesoftware-definedstorageusedbytheVMs,andVMwarevCenterServeristhemanagementapplicationforESXihosts,vSAN,andVMs.
AppDefenseisusedtosecuretheapplicationsrunningontheVMs.
AppDefenseprotectstheintegrityofapplicationsrunningonvSpherebyusingmachinelearningtounderstandtheintendedstateandbehavioroftheapplicationandmachineinordertodetectandpreventthreatsVxRailrunningvSphereEnterprisePlusLikeDellEMC,VMwarefollowsarigorousSecureSoftwareDevelopmentLifecycleprocessandSecurityResponseCenter.
VxRailisjointlydevelopedandsupportedwithVMwareensuringallcomponentsincludedinthesolutionthat'sdesigned,built,tested,anddeployedwithsecurityasatoppriority.
Formoreinformation,seeVMwareProductSecurity.
VMwarevSphereVxRail:ThefoundationfordatacentermodernizationandITtransformation17DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePapervCenterServeristheprimarypointofmanagementforbothservervirtualizationandvSANstorage.
AsinglevCenterinstancecanscaletoenterpriselevels,supportinghundredsofVxRailnodesandthousandsofVM.
VxRailcaneitheruseaninstanceofvCenterthatisdeployedwithinVxRailclusteroruseanexistingvCenterinstance.
vCenterprovidesalogicalhierarchyofdatacenters,clusters,andhosts.
Thishierarchyfacilitatessegmentingresourcesbyusecaseorlinesofbusinessandallowsresourcestomovedynamicallyasneeded.
Thisisalldonefromasingleintuitiveinterface.
vCenterServerprovidesVMandresourceservices,suchasinventoryservice,taskscheduling,statisticslogging,alarmandeventmanagement,andVMprovisioningandconfiguration.
vCenterServeralsoprovidesadvancedavailabilityfeatures,including:vSpherevMotion—EnablesliveVMworkloadmigrationwithzerodowntimevSphereDistributedResourceScheduler(DRS)—ContinuouslybalancesandoptimizesVMcomputeresourceallocationacrossnodesintheclustervSphereHighAvailability(HA)—ProvidesVMfailoverandrestartcapabilitiesInVxRail,theESXihypervisorhoststheVMonclusternodes.
VMsaresecureandportable,andeachVMisacompletesystemwithprocessors,memory,networking,storage,andBIOS.
VMsareisolatedfromoneanother,sowhenaguestoperatingsystemrunningonaVMfails,otherVMsonthesamephysicalhostarenotaffectedandcontinuetorun.
VMsshareaccesstoCPUsandESXiisresponsibleforCPUscheduling.
Also,ESXiassignsVMsaregionofusablememoryandmanagessharedaccesstothephysicalnetworkcardsanddiskcontrollersassociatedwiththephysicalhost.
AllX86-basedoperatingsystemsaresupported,andVMsonthesamephysicalserverhardwarecanrundifferentoperatingsystemsandapplications.
Afundamentalsecurityrequirementistoisolatenetworktraffic.
OnVxRail,vSphere'svirtualnetworkingcapabilitiesprovideflexibleconnectivityandisolation.
VxRailVMscommunicatewitheachotherusingtheVMwareVirtualDistributedSwitch(VDS),whichfunctionsasasingle,logicalswitchthatspansmultiplenodesinthesamecluster.
VDSusesstandardnetworkprotocolsandVLANimplementations,anditforwardsframesatthedata-linklayer.
VDSisconfiguredinvCenterServeratthedatacenterlevel,maintainingasecureandconsistentnetworkconfigurationasVMsmigrateacrossmultiplehosts.
VxRailreliesonVDSforinternalnetworkingtraffic,andvSANreliesonVDSforitsnetworkaccess.
Additionally,VxRailcanbeconfiguredwithNSXtoprovidesoftwaredefinednetworksecurityandfinerlevelaccesscontrolusingmicro-segmentation.
vSANaggregatesthelocallyattacheddisksofhostsinavSphereclustertocreateapoolofdistributedsharedstorage.
CapacityisscaledupbyaddingadditionaldiskstotheclusterandscaledoutbyaddingadditionalVxRailnodes.
vSANisfullyintegratedwithvSphere,anditworksseamlesslywithothervSpherefeatures.
VMwarevCenterServerVMwareESXihypervisorVMwarevirtualnetworkingVMwarevSANVxRail:ThefoundationfordatacentermodernizationandITtransformation18DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePapervSANisnotableforitsefficiencyandperformance.
vSANisself-optimizingandbalancesallocationbasedonworkload,utilization,andresourceavailability.
vSANdelivershighperformance,flash-optimizedHCIsuitableforavarietyofworkloads.
Enterprise-classstoragefeaturesinclude:Efficientdata-reductiontechnology,includingdeduplicationandcompressionaswellaserasurecodingQoSpoliciestocontrolworkloadconsumptionbasedonuser-definedlimitsData-integrityanddata-protectiontechnology,includingsoftwarechecksumsandfaultdomainsEnhancedsecuritywithvSANdata-at-rest-encryptionWithvSAN,disksoneachVxRailnodeareautomaticallyorganizedintodiskgroupswithasinglecachedriveandoneormorecapacitydrives.
ThesediskgroupsareusedtoformasinglevSANDatastore,whichisaccessibleacrossallthenodesinaVxRailcluster.
VxRailprovidestwodifferentvSANnode-storageconfigurationoptions:ahybridconfigurationthatusesbothflashSSDsandmechanicalHDDsandanall-flashSSDconfiguration.
ThehybridconfigurationusesflashSSDsforcachingandmechanicalHDDsforcapacityandpersistentdatastorage.
Theall-flashconfigurationusesflashSSDsforbothcachingandcapacity.
ThefollowingfigureillustratesthebasicconceptsofvSAN:Figure8.
ThebasicconceptsofvSANvSANisconfiguredwhenVxRailclusterisfirstinitializedandmanagedthroughvCenter.
DuringVxRailinitializationprocess,vSANcreatesadistributedshareddatastorefromtheVxRail:ThefoundationfordatacentermodernizationandITtransformation19DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperlocallyattacheddisksoneachESXinode.
Theamountofstorageinthedatastoreisanaggregateofallthecapacitydrivesinthecluster.
Theamountofusablestoragewillbedependentontheprotectionlevelused.
TheorchestratedvSANconfigurationandverificationperformedaspartofsysteminitializationensuresconsistentandpredictableperformanceandasystemconfigurationthatfollowsbestpractices.
vSANsecurediskwipevSANSecurediskwipeisafeaturetosecurelyretireorre-purposingthedisksusedinavSANenvironment.
ThesecurediskwipefeatureisbasedonNISTstandards.
DrivesmustbedecommissionedfromthevSANdiskgrouptousethisfeature.
Thiswillworkonasingleormultiplediskssimultaneously,butmagneticdiskisnotsupported(flashandNVMeonly).
StoragePolicyBasedManagement(SPBM)vSANispolicy-drivenanddesignedtosimplifystorageprovisioningandmanagement.
vSANstoragepoliciesarebasedonrulesetsthatdefinestoragerequirementsforVMs.
AdministratorscandynamicallychangeaVMstoragepolicyasrequirementschange.
ExamplesofSPBMrulesarethenumberoffaultstotolerate,thedataprotectiontechniquetouse,andwhetherstorage-levelchecksumsareenabled.
BundledwithVxRail,VMwarevRealizeLogInsightmonitorssystemeventsandprovidesongoingholisticnotificationsaboutthestateofthevirtualenvironmentandhardware.
vRealizeLogInsightdeliversreal-timeautomatedlogmanagementforVxRailwithlogmonitoring,intelligentgrouping,andanalyticstosimplifytroubleshootingatscaleacrossVxRailphysical,virtual,andcloudenvironments.
Centralizedloggingisafundamentalrequirementofasecureinfrastructure.
ForcustomerswhoalreadyhavealoggingfacilityoraSIEM,VxRaileasilyintegratesusingtheindustrystandardSyslogprotocol.
VMwareCloudFoundationonVxRailisaDellEMCandVMwarejointlyengineeredintegratedsolutionwithfeaturesthatsimplify,streamline,andautomatetheoperationsofyourentireSoftware-DefinedDatacenter(SDDC)fromDay0throughDay2.
Thenewplatformdeliversasetofsoftware-definedservicesforcompute(withvSphereandvCenter),storage(withvSAN),networking(withNSX),security,andcloudmanagement(withvRealizeSuite)inbothprivateandpublicenvironments,makingittheoperationalhubforyourhybridcloud.
VMwareCloudFoundationonVxRailprovidesthesimplestpathtothehybridcloudthroughafullyintegratedhybridcloudplatformthatleveragesnativeVxRailhardwareandsoftwarecapabilitiesandotherVxRailuniqueintegrations(suchasvCenterplug-insandDellEMCnetworking).
Thesecomponentsworktogethertodeliveranewturnkeyhybridclouduserexperiencewithfull-stackintegration.
Full-stackintegrationmeansyougetbothHCIinfrastructurelayerandcloudsoftwarestackinonecompleteautomatedlifecycleturnkeyexperience.
VMwareNSXDataCenteristhenetworkvirtualizationandsecurityplatformthatenablesthevirtualcloudnetwork.
It'sasoftware-definedapproachtonetworkingthatextendsacrossdatacenters,clouds,endpoints,andedgelocations.
WithNSXDataCenter,networkfunctions—includingswitching,routing,firewalling,andloadbalancing—arebroughtclosertotheapplicationanddistributedacrosstheenvironment.
SimilartotheVMwarevRealizeLogInsightVMwareCloudFoundation—includingNSXVxRailsecuritycapabilities20DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperoperationalmodelofVMs,networkscanbeprovisionedandmanagedindependentlyoftheunderlyinghardware.
NSXDataCenterreproducestheentirenetworkmodelinsoftware,enablinganynetworktopology—fromsimpletocomplexmultitiernetworks—tobecreatedandprovisionedinseconds.
Userscancreatemultiplevirtualnetworkswithdiverserequirements,leveragingacombinationoftheservicesofferedviaNSX,includingmicro-segmentationorfromabroadecosystemofthird-partyintegrationsrangingfromnext-generationfirewallstoperformancemanagementsolutionstobuildinherentlymoreagileandsecureenvironments.
Theseservicescanthenbeextendedtoanumberofendpointswithinandacrossclouds.
Foradditionalinformation,seeVMwareCloudFoundationonVxRailArchitectureGuideVxRailsecuritycapabilitiesSecuritycapabilitiesarebrokenintotwosections—datasecurityandsystemsecurity.
ThenfollowingsecuresystemconfigurationandmanagementofVxRailfollowtheprinciplesoftheConfidentiality-Integrity-Availability(CIA)triad.
VxRailprovidesafullypre-configuredandtestedstackforallthesecuritycapabilities.
ThesesecuritycapabilitiesareintegratedandincludedwiththeVxRail.
DatasecurityfollowstheCIAtriadinordertoensuredataisonlyavailabletoauthorizedandorspecificaccountsandthatcomplianceandspecificationsaremet.
Thisincludesbothphysicalanduserlevelaccesstodata.
ConfidentialityPreventingsensitiveinformationfromreachingthewrongpeoplewhileensuringappropriate,authorizedaccesstoacompany'sdataisafundamentalproblemsummedupasconfidentialityorprivacy.
VxRailaddressestheconfidentialityofdatainuse,datainmotion,anddataatrest.
EncryptionEncryptionprotectstheconfidentialityofinformationbyencodingittomakeitunintelligibletounauthorizedrecipients.
WithVxRail,datastorescanbeencryptedusingvSAN'sdata-at-restencryption(D@RE),whichprovidesFIPS140-2validatedprotection.
NotonlydoesvSANencryptiondeliverD@REtoprotectyourworkloadsbutalsovCenter(ifhostedonthesamecluster)andVxRailManager.
IndividualVMscanbeencryptedusingvSphereEncryption,andVMsinmotioncanbeencryptedusingvMotionencryption.
Additionallevelsofencryptionmaybeconfiguredbasedontheapplicationrequirements.
vSANencryptionistheeasiestandmostflexiblewaytoencryptdataatrestbecausetheentirevSANdatastoreisencryptedwithasinglesetting.
Thisencryptioniscluster-wideforallVMsusingthedatastore.
Normally,encrypteddatadoesnotbenefitfromspace-reductiontechniquessuchasdeduplicationorcompression.
However,withvSAN,encryptionisperformedafterdeduplicationandcompression,sothefullbenefitofthesespacereductiontechniquesismaintained.
VMEncryptionprovidestheflexibilitytoenableencryptiononaper-VMbasis,whichmeansasingleclustermayhaveencryptedandnon-encryptedVMs.
VMEncryptionDatasecurityVxRailsecuritycapabilities21DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperfollowstheVMwhereveritishosted.
SoeveniftheVMweremovedtoadatastoreoutsideVxRail,itwouldremainencrypted.
Also,whileVMencryptioncanbeturnedonandoff,VM'sthatgetencrypted,migrationwithvSpherevMotionwillalwaysuseencryptedvSpherevMotion.
VM'sthatarenotencryptedcanselectfromtheencryptionoptionofDisabled,Opportunistic,andRequiredwhenusingvMotion.
OpportunisticwouldbeusedbydefaultonunencryptedVMduringvMotion.
ThefollowingfiguresummarizesthedifferencebetweenVMencryptionandvSANencryption:Figure9.
VMencryptionvs.
vSANencryptionVxRailsupportsencryptedvMotionwhereVMsareencryptedwhentheyaremovedbetweenhosts.
ThisincludesvMotionmigrationswithinaVxRailaswellasvMotionmigrationstoorfromaVxRailclusterwithinavCenterinstance.
EncryptedvMotioncanbeusedwithvSANencryptiontohavebothdataatrestencryptionanddata-in-transitencryption.
EncryptedvMotionisenforcedforVMswithvSphereEncryptionenabled.
ExceptforvMotionEncryption,wherevSphereprovidesthetemporarykeysthatareusedtoencryptthedatainmotion,aKeyManagementServer(KMS)isrequiredforthesecuregeneration,storage,anddistributionoftheencryptionkeys.
Whenencryptionisenabled,vCenterestablishesatrustrelationshipwiththeKMSandthenpassestheKMSconnectioninformationontotheESXihosts.
TheESXihostsrequestencryptionkeysdirectlyfromtheKMSandperformthedataencryptionanddecryption.
vCenterconnectivityisonlyrequiredfortheinitialsetup.
BecausetheKMSisacriticalcomponentofthesecurityinfrastructure,itshouldhavethesamelevelofredundancyandprotectiontypicallyappliedtoothercriticalinfrastructurecomponents,SuchasDNS,NTP,andActiveDirectory.
It'simportanttoremembertheKMSshouldberunphysicallyseparatefromtheelementsthatitencrypts.
Duringstartup,theESXihostswillrequestthekeysfromtheKMS.
IftheKMSisunavailable,thesystemwillnotbeabletocompletethestartup.
VxRailsecuritycapabilities22DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperVxRailandVMwaresupportKMSsthatarecompatiblewithKeyManagementInteroperabilityProtocol(KMIP)v1.
1orhighersuchasDellEMCCloudLink.
VMwaremaintainsaCompatibilityGuideofKMSsthathavebeenvalidatedwithvSphere.
WithinvSphere,encryptionishandledbyacommonsetofmodulesthatareFIPS140-2validated.
Thesecommonmodulesaredesigned,implemented,andvalidatedbytheVMwareSecureDevelopmentLifecycle.
HavingasetofcommonmodulesforencryptionallowsVxRailtomakeencryptioneasiertoimplement,manage,andsupport.
EncryptionisenabledonVxRailthroughasimpleconfigurationsettinginvCenter.
Accesscontrolsensurethatonlyauthorizedindividualsareallowedtoenableordisableencryption.
Arolenamed"NoCryptographyAdministrator"allowsanadministratortodonormaladministrativetasksbutwithouttheauthoritytoalterencryptionsettings.
Data-In-transitencryptionData-In-transitencryptionaddstotheoverallVxRailsecureposture.
Datain-transitencryptionisdisabledbydefaultandcanbeenabledatanytime,asitdoesnotrequirearollingformatofvSANdiskgroups.
Data-in-transitencryptiondoesnotrequireakeymanagerserver(KMS).
TheFIPS2-compliantalgorithm(AES-GCM-256)encryptionkeysareauto-generatedand,bydefault,regeneratedevery24hours.
TheuseofData-in-transitencryptioncanbedonealongsideothervSANfeaturessuchasdeduplication,compression,anddata-at-restencryption,tonameafew.
Data-in-transitencryptioncanbeenabled(disabledbydefault)onhybridandall-flashnodes.
VxRailsoftwaredefinednetworkingusingtheoptionalNSXDynamicvirtualenvironmentssuchasVxRailoftenbenefitfromtheflexibilitythatSoftwareDefinedNetwork(SDN)servicesprovide.
TheeasiestwaytoprovideSDNonVxRailiswithVMwareNSX,whichisanoptionalsoftwarelicenseandnotincludedwithVxRail.
NSXisacompletenetworkvirtualizationandsecurityplatformthatallowsadministratorstocreateentirevirtualnetworks,includingrouters,firewalls,andloadbalancers,purelyinsoftware.
Becausethissoftware-definednetworkingisdecoupledfromtheunderlyingphysicalnetworkinfrastructure,it'snotdependentonVxRailbeingattachedtoaparticularswitchvendor.
NSXwithVxRailisanintegratedsecuritysolutionthatreducestheneedtodeployadditionalsecurityhardwareorsoftwarecomponents.
WithNSX,VxRailadministratorsconfiguremicro-segmentationtosecureandisolatedifferenttenantworkloads,controlingress,andegressandprovideenhancedsecurityforallworkloads,includingtraditionalmultitierapplicationsandgeneralpurposeVM,aswellasVDIenvironments.
AfewofthebenefitsofusingNSXwithVxRailinclude:Theabilitytoapplysecuritypoliciesclosesttotheworkload.
Securitypoliciesareappliedinsoftware,andthesecuritycontrolsmovewiththeworkloadbetweenhostsinthecluster.
SimplifiedmanagementwithsecurityisintegratedwiththevSpherestackandmanagedcentrallythroughvSphereHTML5WebClientandNSXManagerplug-in.
Consistentandautomaticsecuritycontrolsusinggroupsandpolicies.
Workloadsareautomaticallyidentifiedanddynamicallyplacedwithinthecorrectsecurityposture.
VxRailsecuritycapabilities23DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperEfficientimplementationofsecuritycontrolsatthehypervisorlevelreducesapplicationlatencyandbandwidthconsumptioncomparedtoexternalorperimeter-basedsecuritycontrols.
DMZ-levelisolationtocontrolingressandegressforbothinternalandexternalclientsfromtheInternetusingappropriateallow-and-denyrulestocontroltraffic.
DetectionandblockingofspoofedVMIPaddressesusingtheSpoofGuardfeature.
(Formoreinformationonthiscapability,referenceVMware'sUsingSpoofGuarddocumentation.
)IdentityFirewallthatallowsanNSXadministratortocreateActiveDirectoryuser-basedDFWrules.
(Formoreinformationonthiscapability,referencetheVMwareNSXDocumentation.
)IntegrateswiththirdpartysecurityservicessuchasIntrusionDetectionandIntrusionPrevention(IDS/IDP).
NSXenhancesthesecuritypostureofanenvironmentandiscompliantwiththefollowingcertificationsandstandards:CommonCriteriacertification–EAL2+ICSALabscertifiedfirewallFIPS140-2Level1SatisfactionofallNISTcybersecurityrecommendationsforprotectingvirtualizedworkloadsByleveragingtheoptionalVMwareNSXplatformforsecuritywithVxRail,firewallandsecuritypoliciesarebuiltin.
ProvidingatrulyconvergedVxRailasopposedtosecuritysittingexternallyattheperimeter.
DeployingtheNSXwithVxRailfurtherreducesthetimeittakestodeploynewapplicationinitiativesassecuritycontrolsbecomepartoftheVxRail,ratherthanadditionalhardwareorsoftwarecomponentsthatareboltedon.
LockdownmodeForenvironmentsneedingevengreatersecuritywithflexibility,lockdownmodecanbeconfiguredfortheESXi.
Inlockdownmode,theabilitytoperformmanagementoperationsonindividualhostsislimited,forcingmanagementtaskcompletiontooccurthroughvCenter.
Lockdownin"Normal"modeallowsaselectgroupofuserstobeonanallowlist,enablingthemtomanagetheserverslocallyinsteadofthroughvCenter;thisallowslistmustincludecertainVxRailmanagementaccounts.
Instrictlockdownmode,nousersareallowedtomanagetheserverslocally.
Lockdownin"Strict"modeisnotsupportedbyVxRail.
SecuremanagementwithHTTPSUnsecuredmanagementtrafficisasignificantsecurityrisk.
Becauseofthat,VxRailusesmanagementinterfacessecuredwithTransportLayerSecurity"TLS1.
2"vCenter,iDRAC,andHCISystemSoftwarealldisablethecleartextHTTPinterfaceandrequiretheuseofHTTPS,whichusesTLS1.
2.
Inaddition,accesstothecommandlineoftheESXiserversmustuseSSH.
UsingSSHandHTTPSisavitalpartofsecurecommandandcontrolforaVxRail.
VxRailsecuritycapabilities24DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperIntegrityTheintegrityofacompany'sdataisafundamentalrequirementofbusinessoperations.
VxRailensurestheintegrityofyourdatabymaintainingtheconsistency,accuracy,andtrustworthinessofdataoveritslifecyclebycontrollinguseraccessandbuilt-inintegrityfeaturessuchasdatachecksumsNetworksegmentationNetworksegmentationisusedtoisolateprivatenetworktrafficfrompublictrafficinordertoreducetheattacksurface.
Itisalsoaneffectivesecuritycontrolforlimitingthemovementofanattackeracrossnetworks.
VxRailisengineeredwithmultiplelevelsofnetworksegmentation,includingphysicalsegmentationofthehardwaremanagementnetwork,virtualsegmentationofapplicationandinfrastructurenetworks,andmicro-segmentationattheVMandapplicationlevelwiththeoptionalNSXsoftwarefromVMware.
Throughsegmentation,thevisibilityofcriticaladministrativetoolsislimited,preventingattackersfromusingthemagainstasystem.
Bydefault,appropriatenetworksegmentationisautomaticallyconfiguredaspartofthesystem'sinitialization.
Theadministratorhastheflexibilitytodefineadditionallevelsofsegmentationasrequiredfortheapplicationenvironment.
BestpracticesfornetworkconfigurationarepresentedinDellEMCVxRailNetworkGuide.
VxRailusesVMwareDistributedVirtualSwitchesthatsegmenttrafficbydefaultusingseparateVLANsforManagement,vSAN,vMotion,andapplicationtraffic.
ThevSANandvMotionnetworksareprivate,non-routablenetworks.
DependingontheapplicationssupportedbyaVxRailnetwork,trafficcouldbefurthersegmentedbasedondifferentapplications,productionandnon-productiontraffic,orotherrequirements.
TheDistributedVirtualSwitchonaVxRailisconfiguredbydefaultwithvSphereNetworkI/OControl(NIOC).
NIOCallowsphysicalbandwidthtobeallocatedfordifferentVLANs.
Somecyber-attacks,suchasadenialofserviceandworms,canleadtotheoveruseofresources.
Thiscancauseadenialofresourcestootherservicesthatarenotdirectlyunderattack.
NIOCcanguaranteethatotherserviceswillhavethenetworkbandwidththeyneedtomaintaintheirintegrityintheeventofanattackonotherservices.
NIOCsettingsareautomaticallyconfiguredfollowingrecommendedbestpracticeswhenthesystemisinitialized.
TheDellEMCNetworkGuideincludesdetailsoftheNIOCsettingsforthedefaultVxRailVLANs.
EachVxRailnodehasaseparatephysicalEthernetportfortheiDRAChardwaremanagementinterface.
Physicallysegmentingthisnetworkmakesitdifficultforattackerstogainaccesstohardwaremanagement.
Intheeventofadistributeddenial-of-serviceattack,thephysicallysegmentednetworkswillnotbeaffected,limitingthescopeofapotentialattack.
UEFIsecurebootUEFIsecurebootprotectstheoperatingsystemfromcorruptionandrootkitattacks.
UEFIsecurebootvalidatesthatthefirmware,bootloader,andVMkernelarealldigitallysignedbyatrustedauthorityUEFIsecurebootforESXivalidatesthattheVMwareInstallBundles(VIBs)arecryptographicallysigned.
Thisensuresthattheserverbootstackisrunningallgenuinesoftwareandthatithasnotbeenchanged.
VxRailsecuritycapabilities25DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperSoftwarechecksumAkeypartofdataintegrityisvalidatingthatthedataretrievedfromstoragehasnotbeenalteredsinceitwaswritten.
VxRailusesblocklevelend-to-enddataintegritychecksumbydefault.
Thechecksumiscreatedwhenthedataiswritten.
Thechecksumisthenverifiedonread,andifthechecksumshowsthatthedatahadchangedfromwhenitwaswritten,itisreconstructedfromothermembersoftheRAIDgroup.
vSANalsousesaproactivescrubbermechanismtodetectandcorrectpotentialdatacorruption,evenoninfrequentlyaccesseddata.
AvailabilityKeepingyourITsystemupdated,makingsurehardwareisfunctioningcorrectly,andprovidingadequatebandwidthareallkeystonesformaintainingtheavailabilityofacompany'sdatatoauthorizedusers.
VxRailsoftwarelifecyclemanagement,vSphereavailabilityfeatures,proactivemonitoring,andbuilt-inrecovery,aswellasphysicalsecurityofthehardwareandsecuresystemconfiguration,ensuremaximumsystemavailability.
VxRailsoftwarelifecyclemanagementOneofthemostcriticalactionsanorganizationcantaketokeepitsITinfrastructuresecureistokeepsoftwareupdatesandpatchescurrent.
Updatesandpatchesdon'tjustfixissuesthatmightleadtodowntimeorimproveperformance;theyoftenfixsecurityvulnerabilities.
Thereistremendouscollaborationwithinthesecuritycommunity.
VxRailbeingco-engineeredwithVMware,wearereadinearlyonplansforsecurityfixes,whichenablesVxRailteamtoquicklyvalidateandpreparepre-qualifiedsecuritypatches.
Butnoteveryoneisonthesameside,anditbecomesaracebetweenthedefenderswhoareworkingtomitigateandremediatethethreatsandtheattackerswhosegoalistoexploitthevulnerabilities.
VxRailbeingco-engineeredwithVMware,wearereadinearlyonplansforsecurityfixes,whichenablesVxRailteamtovalidateandpreparepre-qualifiedsecuritypatchesquicklyVxRailsoftwarelifecyclemanagementmakescomplexandriskyupdateoperationseasytoinstallandsafetoimplement.
VxRailHCIsystemistheonlysystemwhereallsoftwarecomponentsareengineered,tested,andreleasedasabundle.
VxRailsoftwarebundlesmayincludeupdatestoBIOS,firmware,hypervisor,vSphere,oranyincludedmanagementcomponents.
Ifandwhenvulnerabilitiesarediscovered,fixesarequicklydevelopedtomitigatethreatsregardlessofwheretheyare.
UpdatebundlesareextensivelytestedonVxRailhardwareplatformandtheentireVxRailsoftwarestackbeforebeingreleasedtocustomers.
AdministratorsarenotifiedthroughtheHCISystemSoftwarewhenupdatesareavailable.
Theadministratorcanthendownloadtheupdatebundledirectlyandinitiateorscheduleanorchestratedupdateprocess.
Updatesareperformedasrollingprocesseswhilethesystemremainsonlineservingthebusiness.
Ifarebootisrequired,theVMsareautomaticallymigratedtoothernodesintheclusterbeforecontinuing.
NotonlydoesHCISystemSoftwarelifecyclemanagementreducecomplexity,butitalsomakestheinfrastructuremoresecurebyreducingthetimeanddifficultyittakestopatchsystemsandremovetherisk.
VxRailsecuritycapabilities26DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperVxRailwithvSphereavailabilityfeaturesVxRailleveragesthebuilt-invSphereavailabilityfeatures,includingVMwareHighAvailability(HA),VMwareDistributedResourceScheduler(DRS),andVMwarestretchedclusters.
ThesecapabilitiessupportVxRailautomatedsoftwareandprovidecontinuousavailabilityofserviceshostedonVxRail.
Therefore,itisrecommendedthatcustomersuseversionsofvSpherethatincludethesecapabilities.
VMwareHAmonitorsrunningVMsinaVxRailcluster.
IfaVMornodefails,HArestartsonanothernodeelsewhereinthecluster.
AVMcanfailforanumberofreasons,includingacyber-attack,failureoftheunderlyinghardware,orcorruptedsoftware.
AlthoughVMwareHAdoesnotpreventoutages,itminimizesthetimeittakestorestoreservices.
VMwareDRSspreadtheVMworkloadacrossallthehostsinthecluster.
AsVMresourcedemandschange,DRSwillmigrateVMworkloads,usingvSpherevMotion,tootherhostswithinthecluster.
Cyber-attackscancauseresourceissuesforVMsnottargetedbytheattack.
Cyber-attacksoftencauseheavyresourceutilizationbytheVMbeingattacked.
Therefore,heavyutilizationofresourcesatthehostlevelimpactstheresourcesavailableforotherVMsonthathost.
DRSprotectsVMsbymigratingthemawayfromresource-constrainedhosts,enablingtheVMstocontinuetoprovideservices.
VMwarestretchedclusterextendsVxRailclusterfromasinglesitetostretchingtheclusteracrosstwositesforahigherlevelofavailability.
OnlyasingleinstanceofaVMexists.
However,fullcopiesofitsdataaremaintainedatbothsites.
ShouldthecurrentsitetheVMisrunningonbecomesunavailable,thentheVMwillberestartedattheothersite.
DataprotectionStrongsecuritydefensesarecritical,butarobustandtrustedrecoveryplanisequallyimportant.
Backupandreplicationsarethecornerstonesofrecoveryafterabreach.
Inordertoaidinrecovery,HCISystemSoftwareincludesfile-basedbackupandrestore.
AllVxRailsincorporatesastarterpackforDellEMCRecoverPointforVM(RP4VM),whichprovidesbest-in-classlocalandremotereplicationandgranularrecovery.
HCISystemSoftwarefile-basedbackupandrestoreprotectsagainsttheaccidentaldeletionofortheinternalcorruptionofthevirtualmachine.
Backupscanbeconfiguredtooccurregularlyoronanas-neededbasis.
Thisisanall-inclusivefeaturethatbacksupfilesinsidethevSANdatastore,soadditionalhardwareandsoftwarearenotrequired.
WithRP4VM,if,forexample,aVMiscompromisedordataisdamagedorransomed,theVManddatasetquicklyrollbacktothepointintimepriortotheattack,allowingthebusinesstoquicklyrecover.
InstalleddirectlyfromVxRailManager,RP4VMisdeployed,andday-to-daymonitoringoccursthroughthefamiliarvCenterplug-in.
RecoveryiseasyandperformedusingthevSphereinterface.
Fororganizationsthatrequireenhanced,comprehensivedataprotectioncapabilities,VxRailsupportsoptionsincludingDellEMCDataProtectionSuiteforVMware,DellEMCPowerProtect,andDellEMCDataDomainVirtualEdition.
File-basedbackupsofVxRailHCISystemSoftwarehelpensurebusinesscontinuityintherareeventVxRailVMneedstoberebuilt.
VxRailsecuritycapabilities27DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperVxRailAuthentication,Authorization,andAccountingAuthentication,Authorization,andAccounting(AAA)frameworkbuiltin.
TheAAAisdesignedtocontrolaccess,ensuringtherightpersonisusingthesystem,providewhatlevelofaccesstheyhave,andlogactivitytoaccountforwhathasbeendoneandbywhom.
AuthenticationAuthenticationtoHCISystemSoftwareishandledbySSOthroughthevCenterplugin.
VxRailvCentersupportstheorganization'scentralizedidentitymanagementsysteminaccordancewithauthenticationsecuritypolicies.
OrganizationsoftencentralizeidentitymanagementusingdirectoryservicessuchasMicrosoftActiveDirectory(AD)usingLDAP.
IfVxRailisastandaloneenvironmentandnotpartofadomain,usersandpasswordscanbemanagedlocallyinvSphereandiDRAC.
Fromabestpractice'sstance,itwouldberecommendedtousecentralizedauthentication.
Manyenvironmentsstrengthentheiridentitymanagementusingmulti-factorauthenticationthatrequiresanadditionallevelofidentityverification,includingcertificates,smartcards,orsecuritytokens,inadditiontoausernameandpassword.
VxRailfullysupportsmulti-factorauthenticationforboththedomainandlocallymanagedusers.
Oftentheremaybedifferentindividualsresponsibleforthephysicalservers,VxRaillifecyclemanagement,andthemanagementoftheserver,storage,andnetworkvirtualizationenvironment.
Therefore,VxRailusesfine-grained,role-basedaccesscontrolsforiDRAC,HCISystemSoftware,andvSphere.
AuthorizationUsingthe"principleofleastprivilege"(POLP),auserisgrantedtherequiredrightstoperformtheirrolebutnomorethanisneeded.
vSphereincludesseveralpredefinedrolesthatareusedtograntappropriateprivilege.
Forexample,ausermaybegrantedtheroleofvSphereAdministrator,HCIAManagement,orboth.
TheHCIAManagementrolegrantsauserprivilegetoperformVxRaillifecyclemanagementtasksfromVxRailmanagementplug-inwithinvCenter.
vSphereAdministratorgrantsprivilegetoperformAdministratortasksinvCenter.
vSphereallowsanevengranularlevelofaccesscontrolbythecreationofcustomroles.
Forexample,aprivilegedusermaybegrantedtheabilitytoacknowledgeanalarmorcreateastorageprofilebutnotdeployVMs.
Rolesareassociatedwithusersandgroupsandwithspecificobjects,whereanobjectisathingorgroupofthings.
Forexample,auserorgroupmighthavepermissiontoacknowledgealertsforaparticularVMorport,butnototherobjects.
Also,restrictiverolessuchasNoAccessmaybeassignedtousers,preventingthemfromseeingspecificareaswithinvCenter.
Multipleusersorgroupscanbegrantedthesameordifferentlevelsofaccesstothesameobject.
Permissionsgrantedtoachildobjectcanbeusedtooverridepermissionsinheritedfromaparentobject.
vSphereRole-Basedaccesscontrolsupportsthegranularsecurityprinciplesof"LeastPrivilege"and"SeparationofResponsibility"andallowsthesecurityadministratortoenhancedsecuritybydefiningprecisepermissionsbasedonthesystemsmanagementstructureofanorganization.
SystemSecurityVxRailsecuritycapabilities28DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperAccountingUnderstandingchangesinconfigurationandcomponentstatusisvitaltokeepingsystemssecureandavailable.
Changesmaybetheresultofatemporaryfixcausingaconfigurationdrift.
Orthesechangescouldbeanindicationofapossibleintrusion.
Proactivelymonitoringinfrastructureisanimportantsecurityactivity.
Timelydetectionwhenanintrusionhappenscanmeanthedifferencebetweenabriefinterruptionwheretheattackerisunabletocompromiseanycriticalsystemsandanintrusionthatpersistsformonthsleadingtothecompromiseofmultiplecriticalsystems.
Failuretomaintainasystemofauditlogsmaynotprovideadequateinformationontheattacktodetermineseverity.
Accordingtothe2019TrustwaveGlobalSecurityReport(registrationrequired),Fifty-sevenpercentoftheincidentsinvestigatedinvolvedcorporateandinternalnetworks(upfrom50%in2017).
iiConfigurationdriftisachallengethataffectsallsystems.
Systemsmaystartwithasecureconfigurationbaseline,butovertime,changescanoccurthatmayleavethesystemvulnerable.
Thesechangescanhappenforavarietyofreasons,includingatemporarychangewhiletroubleshootingoranapprovedchangethatshouldbecomepartofthebaselineconfiguration.
Withoutmonitoring,thosechangesbecomeveryhardtodetect.
Thechallengewithmonitoringtheinformationisthatitcomesfrommanydifferentsources—anindividualVM,aphysicalserver,thevirtualizationinfrastructure,thenetwork,securitycomponents,ortheapplicationsthemselves.
Makingsenseofthisinformationrequiresaconsolidatedviewofactivityandchanges.
VxRailincludesvRealizeLogInsight.
LogInsightcompilesVMwarelogs,includingservers,networkdevices,storage,andapplications.
Asthegraphicbelowshows,LogInsightcreatesadashboardwithgraphsbasedonthedatainthelogs.
Thishelpstheadministratorquicklyandeasilydrilldowntotherootcauseoftheissue.
ThefollowingfigureshowsthevRealizeLogInsightdashboard:VxRailsecuritycapabilities29DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperFigure10.
vRealizeLogInsightCorrelatingallofthisinformationisoneofthemanyreasonsthatVxRailusestheindustrystandardNetworkTimeProtocol(NTP)tokeepallofthecomponentclocksinsync.
FororganizationsthatalreadyhavealogmanagementsystemorSecurityIncidentandEventManagement(SIEM)system,VxRaileasilyintegratesusingthestandardSyslogprotocol.
VxRailphysicallocationsecurityPhysicalsecurityisanessentialpartofanycomprehensivesecuritysolution.
BecauseaVxRailmaybedeployedoutsideofatraditionaldatacenter,physicalsecuritycantakeonevengreaterimportance.
TopreventmalwareorinfectedsoftwarefrombeingintroducedviaaUSBdrive,theUSBportsonaVxRailcanbedisabledandthenenabledonlywhenneeded.
VxRailnodesalsomonitorforothereventssuchaschassisopenings,partsfailureorreplacement,firmwarechanges,andtemperaturewarnings.
ThisinformationisrecordedintheiDRACLifecycleLog.
Inmanycases,achassisneednotbeopenedafterit'sputintoproduction,andtrackingsuchactivitycouldbeanindicatorofanattempttocompromisethesystem.
AutomationAnimportantpartofmaintainingsecurityis,ensuringthatalloftherelevantsecurityconfigurationelementsareimplementedonalloftheobjectsinanenvironment.
AnindividualVxRailclustercanhaveupto64physicalnodes,andmultipleVxRailclusterscanbemanagedbyonevCenter,thussupportingthousandsofVMs.
Evenasimplechange—ifitmustbeconfiguredonalltheVMs—couldtakeasignificantamountoftimeVxRailsecuritycapabilities30DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePapertoenact.
Inaddition,whenperformingrepetitivetasks,peoplearepronetomakemistakes.
Thisiswhereautomationbecomescritical.
Automationallowsanenvironmenttohavefewerconfigurationerrorsandmoreconsistentconfigurationwhileincreasingefficiencyandreducingthetimebetweenwhenadecisionismadeandwhenitisimplemented,increasingthetimetovalueofthosedecisions.
CompatibletoolslikevRealizeAutomation,whichallowstheautomationofvSphereandvSAN.
Thesetoolscanbeusedtoautomatestandardday-to-dayoperations,suchasthecreationofVMsorstoragepolicies.
vRealizeAutomationcanalsobeusedtovalidatethatthesecurityconfigurationhasnotdriftedfromitsappropriatesettings.
Iftheconfigurationhaschanged,vRealizeAutomationisabletoreconfiguretheESXiservers,vCenter,orindividualVMssothattheyonceagainmeettherequiredsecurityconfiguration.
Inaddition,becausevRealizeAutomationisastandardVMwaretool,manyITvirtualizationteamsalreadyknowhowtoworkwithvRealizeAutomationandhavecreatedprofilesthatwillworkwithaVxRailcluster.
Configuringsecuritycanbeacomplex,error-proneprocesswithmanyofthesamerisksthatitseekstomitigate.
ThreedifferentelementssimplifytheprocessofsecuringVxRailinfrastructure.
First,vSpherehasa"securebydefault"approachtoconfiguration.
Second,DefenseInformationSystemsAgencySecurityTechnicalImplementationGuides(DISASTIGs)giveablueprintforsecurityhardening.
Avarietyofautomationtoolsallowthemonitoringandconfigurationofsecurityparameterstobecheckedandconfiguredasnecessary.
Thisenablestheappropriateriskprofiletobeconfiguredtocorrespondwiththebusinessneeds.
Finally,theabilitytoautomaterevertingtheconfigurationtoaknownsecurestatewhenunexpectedchangesoccurisavitalpartofVxRailsecurity.
StartingwithvSphere6.
0,VMwarebegananinitiativetomakesecuritythedefaultsettingforvSphere.
ThismakesVxRailmoresecurestraightoutofthebox.
Aspartofthisinitiative,mostrecommendedsecuritysettingswereclassifiedaseithersitespecificorchangedtodefaulttothesecuresetting.
Settingsthatpreviouslyhadtobechangedaftertheinstallationwasupdated,sothesecuresettingbecamethedefault.
Configurationsettingsthatclassifyassite-specificcannotbeconfiguredbydefault—forexample,thehostnameofaremoteSyslogorNTPserver.
WithVxRail,manyofthesettingsthatVMwareclassifiesassite-specificareconfiguredbyHCISystemSoftwareaspartoftheinstallation.
ManyorganizationsuseSTIGsasabaselinetohardentheirsystems.
TheseSTIGsprovideachecklistinbothahumanreadablePDFandanautomatedscript.
ThisenablesautomationtoolstoreadtheSTIGandconfiguretheenvironmenttomatchtherecommendedconfigurationwithminimalmanualintervention.
WhileexistingVMwareSTIGscoverVxRailcomponents,includingvSphere,ESXi,andvSAN,makeimplementationaseasyaspossible.
DellEMCVxRailrunningVxRailsoftwarev4.
5.
x,4.
7.
x,and7.
xcomplywithrelevantDISASecurityTechnicalImplementationGuidelines(STIG)requirements.
Overtime,configurationscandrifttolesssecurepositions.
Becauseofthis,it'simportanttonotonlymonitortheconfigurationbutalsoautomatetherestorationoftheenvironmenttotheinitialsecurestate.
VxRailsupportsmultipledifferentoptionsdependingonthelevelofautomationrequired.
VxRailhasautomatedhardeningtoolsthatcheckthecurrentVxRailSTIGhardeningpackageVxRailHCISystemSoftwareSaaSmulti-clustermanagementsecurityoverview31DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperconfigurationagainstaSTIG,andiftheconfigurationhaschanged,reverttheconfigurationbacktotheknownsafestate.
Ifamoreextensiveautomationtoolisrequired,VMwarevRealizeSuiteworkswithVxRailenvironmentstoautomateconfigurationmanagementwhilemaintaininggovernanceandcontrol.
VMwareoffersAppDefense,amoreapplication-focusedtoolthatusesmachinelearningtogatherinformationaboutaknowngoodstateforVMsandtheapplicationstheysupport.
Withthistool,whenavariationfromtheknowngoodstateisdetected,theadministratorwillbenotified,andaresponsecanbeautomatedfromalibraryofincidentresponseroutines.
VxRailHCISystemSoftwareSaaSmulti-clustermanagementsecurityoverviewVxRailHCISystemSoftwareSaaSmulti-clustermanagementcomplementsthebuilt-inoperationalsimplicitywithoperationalintelligenceforVxRailclusters.
SaaSmulti-clustermanagementdeliversacombinationofoperationalsimplicityandoperationalintelligencewithintrinsicsecurity,enablingcompaniespursuitofITinfrastructuretransformation.
SaaSmulti-clustermanagementrunsonaDellEMCIT-managedcloudplatform.
Asacloud-basedSaaSsolution,SaaSmulti-clustermanagementhastheflexibilitytodelivernewfunctionalityfrequentlyandwithoutdisruption,providinganexceptionalcustomerexperience.
ItsneuralnetworkfordeeplearningwillcontinuallyimproveitspredictivecapabilitiesasitingeststhewealthofmetadataVxRailcancollectaboutitsclusters.
VxRailuserscanaccessSaaSmulti-clustermanagementviaawebportal,MyVxRail,athttps://myvxrail.
dell.
comusingtheirDellEMCsupportcredentials.
SaaSmulti-clustermanagementcollectstelemetrydatafromVxRailnodesacrosstheorganizationsVxRailclustersviaadatacollectorservicerunningonVxRailHCISystemSoftware.
ItsecurelytransmitsthatdatatothecloudplatformviatheSecureRemoteServices(SRS)gateway,asshowninthefollowingfigure:Figure11.
SaaSmulti-clustermanagementconnectivityDellEMCunderstandscustomersconcernsinmaintainingthesecurityoftheirdata.
SecurityisintrinsictoSaaSmulti-clustermanagement,fromdatacollectionthroughdataSecuritybuiltintoSaaSmulti-clustermanagementVxRailHCISystemSoftwareSaaSmulti-clustermanagementsecurityoverview32DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePapertransitandatrest.
Inaddition,SaaSmulti-clustermanagementhasbeensecurelydevelopedusingarchitecturalcontrolsaspartoftheDellEMCstandardSecurityDevelopmentLifecycle.
Thisstandarddefinesthesecurity-focusedactivitiesDellEMCproductteamsmustfollowwhenbuildingandreleasingproductsinordertoenableDellEMCproductstominimizetheriskstoourproductsandcustomerenvironmentsfromsecurityvulnerabilities.
OneachVxRailcluster,theAdaptiveDataCollector(ADC)serviceretrievestelemetrydatafromtheHCISystemSoftwarethroughVxRailhardwareandsoftwareconnectors.
ADCdoesnotcollectanyPersonallyIdentifiableInformation(PII).
ThetelemetrydatacollectedbytheADCisshowninthefollowingtable:Table1.
VxRailtelemetrydatacollectedbySaaSmulti-clustermanagementBasicTelemetry(HWTopology:HCI,Drive,Firmware,PSU)PerformanceDataAlarmsHardwareSensorDataClusterInformationHCISystemSoftwareCluster(CPU,Memory,Disk)VM(CPU,Memory,Disk)vSAN(Disk,Network)vCenterVxRailSensorTypeHealthStateNameCurrentReadingTelemetrydatacollectedbytheADCisnotstoredlocally;thedataistransmittedsecurelyovertheDellSRSGateway.
OnlydatacollectedbytheAdaptiveDataCollector(ADC)issenttotheDellEMCbackend.
SaaSmulti-clustermanagementsubscribesfornotificationsofHCIsystemdataarrivalviatheSRSGateway.
CustomerscontrolwhichsystemssendHCIsystemdataoverthegateway.
AlldatatransmittedovertheDellEMCSRSGatewayisprotectedintransitbyindustry-standardbestpractices.
TheSRSGatewayisbi-directionallyauthenticatedusingRSAdigitalcertificatesinconjunctionwithcustomer-controlledaccesspoliciesandadetailedauditlog.
Point-to-pointcommunicationisestablishedthroughAdvancedEncryptionStandard(AES)-256bitencryption,ensuringalldataissecurelytransportedtotheDellEMCIT-managedinfrastructure.
SRSprovidesfordedicatedVPNandmulti-factorauthentication.
OncethedataarrivesatDell,SaaSmulti-clustermanagementencryptsandstoresthedatainitsownDellEMCIT-managedinfrastructure.
HCIsystemdatareceivedfromclustersenabledfortelemetrydatacollectionisencryptedandstoredontheDellEMCITmanagedDellinfrastructure.
TheDellEMCITinfrastructure:Providesasecureplatformthatensureseachcustomer'stelemetrydataisisolated.
ProvidesHighAvailability,FaultTolerance,andDisasterRecovery.
Locatescustomer'stelemetrydata(includingbackups)intheU.
S.
SaaSmulti-clustermanagementdatacollectionSaaSmulti-clustermanagementdataintransittoDellSaaSmulti-clustermanagementdataatrestVxRailHCISystemSoftwareSaaSmulti-clustermanagementsecurityoverview33DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperIndefinitelyretainshistoricaldataforsystemsthatareactivelybeingmonitoredbySaaSmulti-clustermanagement,includingSaaSmulti-clustermanagement-derivedinsights.
Giveseachcustomeraccesstoanindependent,secureportalfromwhicheachusercanonlyseethosesystemsinSaaSmulti-clustermanagementthatarepartofthatuser'ssiteaccessasdefinedinDellEMCMyService360.
DellTechnologiesSecurityandResiliencyOffice(SRO),ledbyDell'sChiefSecurityOfficer,isresponsibleforthesecurityandprotectionofDellEMCsinformationtechnologyinfrastructurethathostsSaaSmulti-clustermanagementSaaSsolution.
ThisisaccomplishedviaestablishedgoverningsecuritypoliciesandproceduresandenforcementofInformationSecuritycontrols,whichincludemeasuressuchasmulti-layeredfirewalls,intrusiondetectionsystems,industry-leadingantivirus,andmalwareprotection.
TheDellEMCcybersecurityteamisinvolvedinrunningcontinuousvulnerabilityscansontheapplicationandunderlyingenvironment.
Anyrequiredremediationishandledthroughanongoingvulnerabilityremediationprogramsuchassoftwareupgrades,patches,orconfigurationchanges.
AlldatasenttoSaaSmulti-clustermanagementisstoredoninfrastructurehostedintheDellEMCdatacenter.
TheInformationSecurityPolicyensuresthatallDellEMCinformationandresourcesareproperlyprotected,informationownersmustensureallresourcesareaccountedfor,andeachresourcehasadesignatedcustodian.
AllinfrastructurecomponentsarelocatedinthededicatedDellEMCfirewall-protectedenclavenetworkthatisnotexposedtoexternalaccess.
Noindividualdirectlogintothedatabaseserveranddatabaseisallowed,exceptbythemembersoftheSystemAdministratorandDatabaseAdministratorteams.
Databaseapplicationaccountsaremanagedusingstandarddatabasepasswordauthentication.
DellEMChasimplementedanindustrybestpracticeChangeManagementprocesstoensurethatDellEMCinfrastructurehardwareisstable,controlled,andprotected.
ChangeManagementprovidesthepolicies,procedures,andtoolsneededtogovernthesechangestoensurethattheyundergotheappropriatereviews,approvalsandarecommunicatedeffectivelytousers.
SaaSmulti-clustermanagementdataaccesscanbedividedintotwocategories:AccessbycustomerstoMyVxRailwebportalforviewingtheirsystemdataandderivedinsightsfromSaaSmulti-clustermanagement.
AccessbyinternalDellEMCITSystemAdministratorandDatabaseAdministratortoSaaSmulti-clustermanagementinfrastructurethatismanagedbyDellEMC.
Thesub-sectionsbelowdescribehowdataaccessiscontrolledbythesetwocategoriesofusers.
CustomersusetheirexistingsupportaccounttologintoMyVxRail.
AccesstoSaaSmulti-clustermanagementdatafromMyVxRailrequiresthateachenduserhasavalidDellEMCsupportaccount.
AuthenticationishandledbyDellEMC'sSingle-Sign-On(SSO)infrastructure.
MyVxRailusestheDellEMCMyService360customeruserprofileforaccesscontrol.
TheuserprofileiscreatedandassociatedwithavalidcustomerprofilewhentheuserregistersforanaccountwithDellEMC.
MyVxRailprovideseachcustomerwithasecureindependentviewoftheirsystemsandensuresthattheywillonlyseetheirSaaSmulti-clustermanagementdataaccesscontrolEnduseraccesstoSaaSmulti-clustermanagementCompatiblestandardsandcertifications34DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperdata.
EachusercanonlyseethosesystemsinMyVxRailthatarepartofthatuser'ssiteaccessaspertheconfigurationofthatuserinDellEMCMyService360.
DellEMCisverysensitivetotheimportanceofprotectingcustomers'proprietaryandconfidentialinformation.
Tothatend,allDellEMCemployeesarerequiredtosignanemployeeagreement,whichincludesprovisionsthataddressallcustomerinformation.
Theobligationsofthisagreementextendtoanymachine-storeddataperceived,inanymannerorformat,whileengagedinmaintenanceservicesandremainineffectevenafterterminationofemploymentwithDellEMC.
CompatiblestandardsandcertificationsVxRailisarobustandflexiblehyper-convergedinfrastructurethatcanbeconfiguredtoenableorganizationstosatisfycomplianceregulations.
WhilesomeHCIvendorsmayclaimcompatibility,DellEMCisactivelypursuingfullcertificationforthesecuritystandardsthatareimportanttoourcustomers.
ContactyourDellEMCrepresentativetodiscusshowVxRailmeetseventhemoststringentbusinessandregulatoryrequirements.
ThefollowinglistdescribesafewofthestandardsandcertificationsthatapplytoVxRail:FIPS140-2Data-at-RestEncryption—TheFederalInformationProcessingStandardPublication140-2(FIPSPUB140-2)establishesrequirementsandstandardsforthehardwareandsoftwarecomponentsofcryptographymodules.
FIPS140-2isrequiredbytheU.
S.
governmentandotherregulatedindustries,suchasfinancialandhealthcareinstitutions,thatcollect,store,transfer,shareanddisseminatesensitivebutunclassifiedinformation.
PowerEdgeserversusedbyVxRailhavebeenvalidated.
CommonCriteriaEAL2+—CommonCriteriaforInformationTechnologySecurityEvaluationisaninternationalstandard(ISO/IEC15408)forcomputersecuritycertification.
CommonCriteriaevaluationsareperformedoncomputersecurityproductsandsystemstoevaluatethesystem'ssecurityfeaturesandprovideaconfidencelevelfortheproduct'ssecurityfeaturesthroughSecurityAssuranceRequirements(SARs)orEvaluationAssuranceLevel(EALs).
CommonCriteriaCertificationcannotguaranteesecurity,butitcanensurethatclaimsaboutsecurityattributesareindependentlyverified.
PowerEdgeserversandvSpherecomponentsusedbyVxRailcurrentlyholdafullcertification.
NISTCybersecurityFramework—TheNISTFrameworkforImprovingCriticalInfrastructureisavoluntaryguidelinedevelopedtohelporganizationsimprovethecybersecurity,riskmanagement,andresilienceoftheirsystems.
NISTconferredAdministrativeaccesstoSaaSmulti-clustermanagementinfrastructuremanagedbyDellEMCITCompatiblestandardsandcertifications35DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperwithabroadrangeofpartnersfromgovernment,industry,andacademiaforoverayeartobuildaconsensus-basedsetofsoundguidelinesandpractices.
SpecialPublication800-131Apresentsrecommendationsforencryptionkeylength.
NSASuiteB—SuiteBisasetofcryptographicalgorithmspromulgatedbytheNationalSecurityAgencyaspartofitsCryptographicModernizationProgram.
ThecurrentversionsofESXiandvCenterusedwithVxRailsupportNSASuiteB.
Section508VPAT—TheUnitedStatesAccessBoardSection508Standardsapplytoelectronicandinformationtechnologyprocuredbythefederalgovernmentanddefinesaccessrequirementsforpeoplewithphysical,sensory,orcognitivedisabilities.
BoththePowerEdgeServerandvSpheresoftwarecomponentsusedbyVxRailcomplywithsection508VPAT.
TradeAdjustmentAssistance(TAA)—TheTradeAdjustmentAssistanceProgramisafederalprogramthatprovidesapathforemploymentgrowthandopportunitythroughaidtoU.
S.
workerswho'velosttheirjobsduetoforeigntrade.
Whensoldasasystem,VxRailisTAAcompliant.
DISA-STIG—TheU.
S.
DepartmentofDefense(DOD),DefenseInformationSystemsAgency(DISA),developsconfigurationstandardsknownasSecurityTechnicalImplementationGuides(STIGS)asoneofthewaystomaintainthesecurityofDODITinfrastructure.
Theseguidesprovidetechnicalguidancetolockdowninformationsystemsand/orsoftwarethatmightotherwisebevulnerabletoanattack.
DellEMCoffersmanualandautomatedstepsforconfiguringVxRailtocomplywithDoDInformationNetwork(DISA)STIGrequirements.
IPv6—IPv6isthenextgenerationprotocolusedbytheInternet.
InadditiontoresolvingtheaddressinglimitationsofIPv4,IPv6hasanumberofsecuritybenefits,andmanyenvironmentsaremovingtowardadoptingIPv6.
VxRailpassedUSGv6interoperabilitytestingforIPv6indualstackmodeandthehigherstandardforIPv6Readytesting.
Compatiblestandardsandcertifications36DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperTrustedPlatformModule—TheTrustedComputingGroupdefinesthespecificationfortheTrustedPlatformModule(TPM).
TPM1.
2and2.
0areoptionallyavailablewithVxRail.
BotharecertificationswithFIPS140-2,TCG,andCommonCriteriasecurityrequirements.
vSpheresupportsTPM1.
2andTPM2.
0.
TheNISTCybersecurityFramework(NISTCSF)providesapolicyframeworkofcomputersecurityguidanceforhowprivatesectororganizationscanassessandimprovetheirabilitytoprevent,detect,andrespondtocyber-attacks.
Thisvoluntaryframeworkconsistsofstandards,guidelines,andbestpracticestomanagecybersecurity-relatedrisk.
TheCybersecurityFramework'sprioritized,flexible,andcost-effectiveapproachhelpspromotetheprotectionandresilienceofcriticalinfrastructure.
TheNISTCSFcorematerialisorganizedintofivefunctions,whicharesubdividedintothecategoriesshowninthefollowingfigure:Figure12.
NationalInstituteofStandardsandTechnology,CybersecurityFrameworkVisittheNISTwebsiteformoreinformationontheNISTCSF.
NISTCybersecurityFrameworkandVxRailVxRailsecuritysolutionsandpartners37DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperVxRailsecuritysolutionsandpartnersVxRailisdesignedwithsecuritybuiltinanddeployedfollowingsecuritybestpractices.
Usersareauthenticatedandauthorizedwiththeappropriatelevelofaccess.
VxRailclustersareeasilyconfiguredwithdata-at-restencryptiontosafeguardtheconfidentialityoftheinformationcontainedindefaultnetworkconfigurationsegmentstrafficandwithtoolssuchasRecoverPointforVM,ensuringthatapplicationsandservicescanbequicklyrecoverediftheintegrityofthedataiscompromised.
ThesesecurityfeaturesarefundamentalandinherenttoVxRail.
However,protectinganenvironmentfromtoday'sthreatsrequiresdefensein-depthwithmultiplelayersofsecurity.
ThenetworksthatconnecttheapplicationsandservicesthatrunonVxRailtotheusersthatconsumethemmustbeprotected,andtheapplicationsandservicesthemselvesmustalsobesecured.
Firewalls,intrusiondetectionandpreventionsystems,antivirus/malware,endpointprotection,aswellassecurityoperationsandmanagementareallpartofamultilayerdefense.
OnlyDellTechnologieshasafullbreadthoftechnologiesandservicestohelpyoufullysecureyourenvironment.
ThesizeofyourorganizationandwhereyourorganizationisalongitsITtransformationaljourneywilldeterminetheappropriateapproach.
Someenvironmentsmaybeworkingwithinexistingsecurityframeworks,whileotherscantakeadvantageoftheopportunitytotransformtheirsecurityoperationsastheytransformtheirITinfrastructure.
Organizationsoftenleveragemanydifferentvendorsaspartoftheirsecurityprogram,whichaddscomplexitythatincreasesrisk.
IncludedintheDellTechnologiesfamilywithSecureWorks;helpyoumanageriskandprotectyourdigitalassets.
OnlyDellTechnologiescanprovideasinglevendorrelationshipwithdeepsecurityexpertiseworldwideandanecosystemofthousandsofpartners.
ThefollowingfigureillustratesthePowerofDelltohelpyoumanageriskandprotectyourdata.
Figure13.
ThePowerofDelltohelpyoumanageriskandprotectyourdataVxRailsecuritysolutionsandpartners38DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperVxRailsupportslocaluseraccounts,LDAPintegration,andsinglesign-on.
Althoughit'spossibletohaveastandaloneVxRail,mostenvironmentswillintegratewithenterpriseIdentityandAccessManagement(IAM)systemsthatusedirectoryservicessuchasMicrosoftActiveDirectory.
VxRailincludesvRealizeLogInsighttocentralizelogmanagementforthesystem.
Fororganizationswithanexistingcentralizedlogmanagementfacility,suchasSplunkoraSecurityIncidentandEventManagementSystem(SIEM),VxRailcanbeeasilyintegratedusingtheindustrystandardSysloginterface.
Forcustomerswhodon'twanttomanagesecurityeventsthemselves,SecureWorksprovideslogmanagementservicesforVxRailandvirtuallyanycriticalinformationassetorsecuritytechnology.
SecureWorkscollectsandmonitorsthesecurityinformationyouneedtokeepyourbusinesssecure.
Moreimportantly,SecureWorksdeeplyskilledsecurityexperts—workingfromtheirintegratedCounterThreatOperationCenters—investigateandrespondimmediatelytoanymaliciousactivity24/7.
Encryptionisapowerfultoolforprotectingtheconfidentialityofinformation,andVxRailhasbuiltinencryptioncapabilitiestoprotectdatainuse,inmotion,andatrest.
However,thedatasecurityprovidedbyencryptionisonlyasgoodasthegeneration,protection,andmanagementofthekeysusedintheencryptionprocess.
Encryptionkeysmustbeavailablewhenthey'reneeded,andaccesstothekeysduringdecryptionactivitiesmustbepreservedforthelifetimeofthedata.
Therefore,thepropermanagementofencryptionkeysisessentialtotheeffectiveuseofcryptography.
Manyorganizationscentralizekeymanagementacrosstheenterprisetosimplifymanagement,enforcepolicy,andprovidereportingandauditingforcompliance.
VxRailandvSpheresupporttheKeyManagementInteroperabilityProtocol(KMIP),allowingittoworkwithmanyenterprisekeymanagementsystems.
DellEMCCloudLinkprovidesKMIP-compliantkeymanagementandencryptionforpublic,private,andhybridclouds.
Fororganizationsthathaveexistingkeymanagementservices,VxRailandvSphereeasilyintegrate,providingasinglepointofkeymanagementacrosstheenterprise.
VMwareoffersalistofcompatiblekeymanagementservers.
Securingtoday'sITinfrastructureanddigitalassetsisacomplexundertaking.
Asinglesolutioncan'tofferarobustenoughdefense.
ThisiswhyDellTechnologiesoffersanecosystemofpartnersworkingtogethertoaddresstheuniquerisksandvulnerabilitiesofyourenvironment.
Werecognizethattheentireindustrymustworktogethertohelpourcustomersachievetheircybersecuritygoals.
DellEMCVxRailandVMwarevSpheresupportopensecuritystandardsandpartnersplayavitalroleinhelpingourcustomerstransitiontoasecure,virtual,andmulti-cloudITworld.
The"VMwareIntegratedPartnerSolutionsforNetworkingandSecurity"whitepaperlinkedinAppendixAincludesalistofafewpartnersolutionsfornetworking,security,andcompliancethatareintegratedwithVMwarevSphere,vCenter,vShieldEndpoint,andvCloudNetworkingandSecurityandliststhefullsetofvSpheresupportedIdentityandAccessManagementSecurityIncidentandEventManagementKeymanagementserverOthersecuritypartnersConclusion39DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperapplicationsandsoftware.
InadditiontotheEPSECAPIsforantivirus/antimalwareprotectionprovidedbyvShieldEndpoint,theVMwarevCloudEcosystemFrameworkprovidesserviceinsertionatthevNICandvirtualedgelevel.
TheVMwareCompatibilityGuidemakesfindingtherightcomponenteasy.
ConclusionSecuritytransformationbeginswithasecureITinfrastructure.
VxRailprovidesasecure,moderninfrastructurefromtheCoretoEdgetotheCloud.
Ahyper-convergedinfrastructure,VxRailisdesigned,engineered,built,andmanagedasasingleproducttoreducethepossibleattacksurfacebyreducingthenumberofcomponentsthatareinvolvedintheinfrastructure.
VxRailsoftwarelifecyclemanagementVxRailcompositebundlesmayincludeupdatestoBIOS,firmware,hypervisor,vSphere,oranyoftheincludedmanagementcomponentsthatmakesupdatingthecompletesoftwarestackmuchsimpler,whichreducesthevulnerabilitytoattacks.
Fullyprotectinganenvironmentfromtoday'sthreatsrequires"defensein-depth"withmultiplelayersofsecurity.
ThenetworksthatconnecttheapplicationsandservicesthatrunonVxRailtotheusersthatconsumethemmustbeprotected,andtheapplicationsandservicesthemselvesmustalsobesecured.
Firewalls,intrusiondetectionandpreventionsystems,antivirus/malware,endpointprotection,aswellassecurityoperationsandmanagementareallpartofamultilayerdefense.
DellTechnologiesunderstandssecurityandhasexpertsworldwidewhocanhelpyouassessyourenvironmentanddesignasecurityplantomeetyouruniquerequirements.
ContactyourDellTechnologiesrepresentativeformoreinformation.
References40DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperReferencesThefollowingtablelistsalllinksandreferencescitedinthiswhitepaper:AssetURLRiskBasedSecurityhttps://www.
riskbasedsecurity.
com/2019/02/13/over-6500-data-breaches-and-more-than-5-billion-records-exposed-in-2018/EMCProductSecurityhttps://www.
dellemc.
com/en-us/products/security/index.
htmTheDellEMCSecurityDevelopmentLifecyclehttps://www.
dellemc.
com/en-us/products/security/index.
htm#tab0=2DellProductSecurityIncidentResponseTeam(PSIRT)https://www.
dell.
com/support/contents/us/en/19/article/product-support/self-support-knowledgebase/security-antivirus/alerts-vulnerabilities/dell-vulnerability-response-policyCyberResilientSecurityin14thgenerationofDellEMCPowerEdgeservershttp://en.
community.
dell.
com/techcenter/extras/m/white_papers/20444755/downloadAppDefensehttps://www.
vmware.
com/products/appdefense.
htmlVMwareCloudFoundationonVxRailArchitectureGuidehttps://www.
dellemc.
com/resources/en-us/asset/technical-guides-support-information/products/converged-infrastructure/vmware_cloud_foundation_on_vxrail_architecture_guide.
pdfVMwareProductSecurityhttps://www.
vmware.
com/content/dam/digitalmarketing/vmware/en/pdf/VMware-Product-Security.
pdfDellEMCVxRailNetworkGuidehttps://infohub.
delltechnologies.
com/t/planning-guide-dell-emc-vxrail-network-planning/VMware'sUsingSpoofGuardguidehttps://docs.
vmware.
com/en/VMware-NSX-for-vSphere/6.
4/com.
vmware.
nsx.
admin.
doc/GUID-06047822-8572-4711-8401-BE16C274EFD3.
htmlVMwareNSXDocumentationhttps://docs.
vmware.
com/en/VMware-NSX-Data-Center-for-vSphere/6.
4/com.
vmware.
nsx.
admin.
doc/GUID-B5C70003-8194-4EC3-AB36-54C848508818.
htmlSecurityforHyper-ConvergedSolutionshttps://communities.
vmware.
com/servlet/JiveServlet/download/36084-3-183512/SecurityforHyper-ConvergedSolutions_NSX.
pdf2019TrustwaveGlobalSecurityReporthttps://www.
trustwave.
com/Resources/Library/Documents/2019-Trustwave-Global-Security-Report/*12017DataBreachInvestigationReporthttp://www.
verizonenterprise.
com/verizon-insights-lab/dbir/2017*2PWC"20thCEOSurvey"of5,351membersofthepublic,in22countrieshttps://www.
pwc.
com/jg/en/publications/pwc-ceo-report-2017%20(2).
pdfNISTCyberSecurityFrameworkhttps://www.
nist.
gov/cyberframeworkReferences41DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperlistofcompatiblekeymanagementservershttps://www.
vmware.
com/resources/compatibility/search.
phpdeviceCategory=kms&details=1&page=1&display_interval=10&sortColumn=Partner&sortOrder=AscVMwareCompatibilityGuidehttps://www.
vmware.
com/resources/compatibility/search.
phpVxRailTechbookhttps://infohub.
delltechnologies.
com/t/techbook-dell-emc-vxrail-system-2/https://www.
emc.
com/collateral/technical-documentation/h15104-VxRail-appliance-techbook.
pdfSecurityFeaturesoftheintegratedDellRemoteAccessController(iDRAC)http://en.
community.
dell.
com/techcenter/extras/m/white_papers/20441744/downloadvSANdocumentationhttps://docs.
vmware.
com/en/VMware-vSAN/index.
htmlFourbusinesstransformationshttps://www.
youtube.
com/watchv=TcKJ39_4RwcVMwareencryptioncertificationshttps://www.
vmware.
com/security/certifications/fips.
htmlVMwarevRealizeLogInsighthttps://www.
vmware.
com/content/dam/digitalmarketing/vmware/en/pdf/products/vrealize-log-insight/vrealize-log-insight-datasheet.
pdfNISTcertificationsforFIPs140-2searchbyVendorforDellEMCandVMwarehttps://csrc.
nist.
gov/projects/cryptographic-module-validation-program/validated-modules/searchVMwareSecureDevelopmentLifecyclehttps://www.
vmware.
com/security/sdl.
htmlVMwareKeyManagementhttps://blogs.
vmware.
com/vsphere/2017/10/key-manager-concepts-toplogy-basics-vm-vsan-encryption.
htmlvSphere6.
57.
0SecurityGuidehttps://docs.
vmware.
com/en/VMware-vSphere/7.
0/vsphere-esxi-vcenter-server-70-security-guide.
pdfhttps://docs.
vmware.
com/en/VMware-vSphere/6.
5/vsphere-esxi-vcenter-server-65-security-guide.
pdfBuildingTrustwithDELLEMCProductSecurityProgramshttps://www.
emc.
com/products/security/index.
htmSaaSmulti-clustermanagementACEResourcesACEOverviewvideodemohttps://vxrail.
is/acedemSmartupdatebundlestagingvideodemohttps://vxrail.
is/aceupdatesReferences42DellEMCVxRailAppliances:ComprehensiveSecuritybyDesignWhitePaperSolutionoverviewSaaSmulti-clustermanagementinfographichttps://www.
dellemc.
com/en-us/collaterals/unauth/infographic/products/converged-infrastructure/dell-emc-vxrail-hci-system-software-multi-cluster-management-infographic.
pdfhttps://www.
dellemc.
com/resources/en-us/asset/offering-overview-documents/products/converged-infrastructure/vxrail-ace-solution-brief.
pdfDellTechnologiesMyService360overviewhttps://www.
delltechnologies.
com/et-ee/services/support-deployment-technologies/my-service-360.
htmVxRailComprehensiveSecuritybyDesign(whitepaper)https://infohub.
delltechnologies.
com/t/dell-emc-vxrail-appliances-comprehensive-security-by-design/https://www.
dellemc.
com/resources/en-us/asset/white-papers/products/converged-infrastructure/VxRail_Comprehensive_Security_by_Design.
pdfDellTechnologiesProductSecuritypracticeshttps://www.
delltechnologies.
com/en-us/products/security/index.
htmVMwareBlogcoveringvSAN7Update1data-in-transitencryptionandSecureDiskWipehttps://blogs.
vmware.
com/virtualblocks/2020/10/12/vsan-a-secure-fortress-for-your-data/YouTube-SecurityResourcesYoutube-VxRailSecurityHardeningandCompliancehttps://www.
youtube.
com/watchv=ZjhfCE5nq6UYoutube-VxRailSecurityOverviewhttps://www.
youtube.
com/watchv=ZTNmYBgJv4si2017DataBreachInvestigationReportiipwc-ceo-report-2017