Yesterday Nutanix released version 4.1.1 of the Nutanix Operating System. Current customers can download and upgrade free of charge with no down time what so ever to their workloads.
New releases come with new features… so what’s in the box?
- Metro Availability
- Encryption Support
- VM Management for KVM
- Prism Central Scalability to 100 Clusters/10K VMs; added support for Hyper-V
- Security/STIG Enhancements
- One Click Hypervisor Upgrade
I’m being a little transparent above with the bold tags I suppose. That’s right, security, and not just the word itself. Version 4.1.1 introduces three new STIGs with a total rule count on the platform to over five hundred and thirty! By itself that may not seem all that impressive, well 530 should, but you need some foundation in order to appreciate what we are doing at Nutanix around security as a whole.
Nutanix Security Development Lifecycle (SecDL)
Security in and of itself seems to be a hard concept for many software companies. It’s an evolving landscape that requires a dedicated team of individuals to research and evaluate threats. It also requires a team that understands the platform they are supporting in order to properly categorize how mitigations to these threats are managed. This must be an integrated process throughout your Engineering and Support teams. Not only must a partnership be formed between your developers, support and the security team, but a passion for that robustness in the security of the platform must be shared by all parties. Sadly, where most fail is in this shared mindset, and by adopting the “bolt-on” approach. Good platform security is not an afterthought. It is front and center from the first design meeting to the final release day and beyond. Without a doubt it must be a pattern accepted from the top down, period.
Just one of the ways that Nutanix excels is in the adoption of what we call the Security Development Lifecycle, or SecDL for short. From the CEO down to the amazing developers on staff the decision to embrace a fully integrated development lifecycle was a simple one. The security process is now engrained as part of the development DNA, a foundational approach, and not the last minute burden or hurdle after the fact like some shops.
This also allows us to be uniquely agile in that security patches and updates to address CVEs or other industry vulnerabilities can be accomplished in days rather than months, or to the extreme years. That by itself is phenomenal in the software space.
Platform Security Technical Implementation Guide (STIG)
With the release of NOS 4.1.1 we’ve added three STIGs to the platform.
- JRE STIG
- Web Services STIG
- Operating System STIG
These are developed in the open XCCDF.xml format to support the Security Content Automation Protocol (SCAP) standard. In addition to being fully machine readable they are actually built to support automation and checking of your security posture. But wait, there’s more…
You don’t need to spin your own method to check your security posture, we do that for you as well. Within each CVM we offer repot_STIG.sh, report_jre_STIG.sh, and report_ws_STIG.sh. A script that can easily be run to assess the current security posture of your CVM providing an easy to consume report and just waiting for you to submit to your local IA team. You can even setup a simple cron to run and generate your reports on a periodic basis if you so choose.
The STIGs and our NTNX Operation Guide are available to all customers by way of our support portal, or by reaching out to your account team. We will dive into some of the interesting pieces of the STIG in future articles, including the Security Requirement Guides (SRG) consumed and the additional requirements above and beyond those guides that we enforce as standard.
Before I close up the introduction to NOS 4.1.1 and our Platform STIGs available in NOS 4.1.1 I wanted to point out something I feel is key in the way we at Nutanix approach security. Everything you see in the security documentation above is engrained into our code. You’re not having to set this up after you make a purchase. It’s part of the base product itself. Any customer, from commercial to Defense, are all benefiting from the same hardened baseline in our product. Security isn’t a feature, it’s a requirement, and we truly adopt that method of thinking here at Nutanix.
Going Forward and You
What does this actually mean to you in the field? I’ve been out there and I’ve felt your pain, both in management and with security compliance. The days of discussing security requirements within a limited vertical is over. Baseline hardening, compliance checking, CVE patch mitigation, these are ever increasing issues across all lines of business, not just the high-regulatory shops such as the Federal Government. Managing an Enterprise is tough! Nutanix just took yet another piece of that burden off your plate.