Data security follows the CIA triad in order to ensure data is only available to authorized and or specific accounts. That compliance and specifications are met. This includes both physical and user level access to data.
Preventing sensitive information from reaching the wrong people while ensuring appropriate, authorized access to a company’s data is a fundamental problem summed up as confidentiality or privacy. VxRail addresses the confidentiality of data in use, data in motion, and data at rest several different ways.
Encryption protects the confidentiality of information by encoding it to make it unintelligible to unauthorized recipients. With VxRail, datastores can be encrypted using vSAN’s data-at-rest encryption (D@RE), which provides FIPS 140-2 Level 1 validated protection. Individual VMs can be encrypted using vSphere Encryption, and VMs in motion can be encrypted using vMotion encryption. Additional levels of encryption may be configured based on the application requirements.
vSAN encryption is the easiest and most flexible way to encrypt data at rest because the entire vSAN datastore is encrypted with a single setting. This encryption is cluster-wide for all VMs using the datastore. Normally, encrypted data does not benefit from space-reduction techniques such as deduplication or compression. But with vSAN, encryption is performed after deduplication and compression, so the full benefit of these space reduction techniques is maintained.
VM Encryption provides the flexibility to enable encryption on a per-VM basis, which means a single cluster may have encrypted and non-encrypted VMs. VM Encryption follows the VM wherever it is hosted. So even if the VM was moved to a datastore outside the VxRail, it would remain encrypted.
In addition, while VM encryption can be turned on and off; VM’s that get encrypted, migration with vSphere vMotion will always use encrypted vSphere vMotion. VM’s that are not encrypted, can select from the encryption option of Disabled, Opportunistic, and Required when using vMotion. Opportunistic would be used by default on unencrypted VM during vMotion. The following figure summarizes the difference between VM encryption and vSAN encryption:
Figure 9. VM encryption vs. vSAN encryption
In addition, VxRail supports encrypted vMotion where VMs are encrypted when they are moved between hosts. This includes vMotion migrations within a VxRail as well as vMotion migrations to or from a VxRail cluster within a vCenter instance. Encrypted vMotion can be used with vSAN encryption to have both data at rest encryption and data in flight encryption. Encrypted vMotion is enforced for VMs with vSphere Encryption enabled.
Except for vMotion Encryption, where vSphere provides the temporary keys that are used to encrypt the data in motion, a Key Management Server (KMS) is required for the secure generation, storage, and distribution of the encryption keys. When encryption is enabled, vCenter establishes a trust relationship with the KMS and then passes the KMS connection information on to the ESXi hosts. The ESXi hosts request encryption keys directly from the KMS and perform the data encryption and decryption. vCenter connectivity is only required for the initial setup.
Because the KMS is a critical component of the security infrastructure, it should have the same level of redundancy and protection typically applied to other critical infrastructure components, Such as DNS, NTP, and Active Directory. It’s important to remember the KMS should be run physically separate from the elements that it encrypts. During startup, the ESXi hosts will request the keys from the KMS. If the KMS is unavailable, the system will not be able to complete the startup.
VxRail and VMware support KMSs that are compatible with Key Management Interoperability Protocol (KMIP) v1.1 or higher such as Dell EMC CloudLink. VMware maintains a Compatibility Guide of KMSs that have been validated with vSphere.
Within vSphere, encryption is handled by a common set of modules that are FIPS 140-2 validated. These common modules are designed, implemented, and validated by the VMware Secure Development Lifecycle. Having a set of common modules for encryption allows VxRail to make encryption easier to implement, manage, and support.
Encryption is enabled on the VxRail through a simple configuration setting in vCenter. Access controls ensure that only authorized individuals are allowed to enable or disable encryption. A role named “No Cryptography Administrator,” allows an administrator to do normal administrative tasks, but without authority to alter encryption settings.
Dynamic virtual environments such as VxRail often benefit from the flexibility that Software Defined Network (SDN) services provide. The easiest way to provide SDN on VxRail is with VMware NSX, which is an optional software license and not included with VxRail. NSX is a complete network virtualization and security platform that allows administrators to create entire virtual networks, including routers, firewalls, and load balancers purely in software. Because this software-defined networking is decoupled from the underlying physical network infrastructure, it’s not dependent on VxRail being attached to a particular switch vendor.
NSX with VxRail is an integrated security solution that reduces the need to deploy additional security hardware or software components. With NSX, VxRail administrators configure micro-segmentation to secure and isolate different tenant workloads, control ingress, and egress and provide enhanced security for all workloads including traditional multi-tier applications and general purpose VM, as well as VDI environments. A few of the benefits of using NSX with VxRail include:
NSX enhances the security posture of an environment and is compliant with the following certifications and standards:
By leveraging the optional VMware NSX platform for security with VxRail, firewall and security policies are built in. This provides a truly converged appliance as opposed to security sitting externally at the perimeter. Deploying the NSX with VxRail further reduces the time it takes to deploy new application initiatives as security controls become part of the appliance, rather than additional hardware or software components that are bolted on.
For environments needing even greater security with flexibility, lockdown mode can be configured for the ESXi. In lockdown mode, the ability to perform management operations on individual hosts is limited, forcing management task completion to occur through vCenter.
Lockdown in “Normal” mode allows a select group of users to be white-listed, enabling them to manage the servers locally instead of through vCenter; this whitelist must include certain VxRail management accounts.
In strict lockdown mode, no users are allowed to manage the servers locally. Lockdown in “Strict” mode is not supported by VxRail.
Unsecured management traffic is a significant security risk. Because of that, VxRail uses management interfaces secured with Transport Layer Security “TLS 1.2” vCenter, iDRAC, and HCI System Software all disable the clear text HTTP interface and require the use of HTTPS, which uses TLS 1.2. In addition, access to the command line of the ESXi servers must use SSH. Using SSH and HTTPS is a vital part of secure command and control for a VxRail.
Integrity of a company’s data is a fundamental requirement of business operations. VxRail ensures the integrity of your data by maintaining the consistency, accuracy, and trustworthiness of data over its lifecycle by controlling user access and built-in integrity features such as data checksums
Network segmentation is used to isolate private network traffic from public traffic in order to reduce the attack surface. It is also an effective security control for limiting the movement of an attacker across networks.
VxRail is engineered with multiple levels of network segmentation, including physical segmentation of the hardware management network, virtual segmentation of application and infrastructure networks, and micro-segmentation at the VM and application level with the optional NSX software from VMware. Through segmentation, the visibility of critical administrative tools is limited, preventing attackers from using them against a system. By default, appropriate network segmentation is automatically configured as part of the system initialization and the administrator has the flexibility to define additional levels of segmentation as required for the application environment. Best practices for network configuration are presented in Dell EMC VxRail Network Guide.
VxRail uses VMware Distributed Virtual Switches that segment traffic by default using separate VLANs for Management, vSAN, vMotion, and application traffic. The vSAN and vMotion networks are private, non-routable networks. Depending on the applications supported by a VxRail network, traffic could be further segmented based on different applications, production, and non-production traffic or other requirements.
The Distributed Virtual Switch on a VxRail is configured by default with vSphere Network I/O Control (NIOC). NIOC allows physical bandwidth to be allocated for different VLANs. Some cyber-attacks, such as denial of service and worms, can lead to overuse of resources. This can cause a denial of resources to other services that are not directly under attack. NIOC can guarantee that other services will have the network bandwidth they need to maintain their integrity in the event of an attack on other services. NIOC settings are automatically configured following recommended best practices when the system is initialized. The Dell EMC Network Guide includes details of the NIOC settings for the default VxRail VLANs.
Each VxRail node has a separate physical Ethernet port for the iDRAC hardware management interface. Physically segmenting this network makes it difficult for attackers to gain access to hardware management. In the event of a distributed denial of service attack, the physically segmented network will not be affected, limiting the scope of a potential attack.
UEFI secure boot protects the operating system from corruption and root kit attacks. UEFI secure boot validates that the firmware, boot loader, and VMkernel are all digitally signed by a trusted authority. In addition, UEFI secure boot for ESXi validates that the VMware Install Bundles (VIBs) are cryptographically signed. This ensures that the server boot stack is running all genuine software and that it has not been changed.
A key part of data integrity is validating that the data retrieved from storage has not been altered since it was written. VxRail uses block level end-to-end data integrity checksum by default. The checksum is created when the data is written. The checksum is then verified on read, and if the checksum shows that the data has changed from when it was written, it is reconstructed from other members of the RAID group. vSAN also uses a proactive scrubber mechanism to detect and correct potential data corruption, even on infrequently accessed data.
Keeping your IT system updated, making sure hardware is functioning correctly, and providing adequate bandwidth are all keystones for maintaining the availability of a company’s data to authorized users. VxRail software lifecycle management, vSphere availability features, proactive monitoring, and built-in recovery, as well as physical security of the hardware and secure system configuration, ensure maximum system availability.
One of the most critical actions an organization can take to keep its IT infrastructure secure is to keep software updates and patches current. Updates and patches don’t just fix issues that might potentially lead to downtime or improve performance, they often fix security vulnerabilities. There is tremendous collaboration within the security community. With VxRail being co-engineered with VMware, we are read in early on plans for security fixes, which enables the VxRail team to quickly validate and prepare pre-qualified security patches. But not everyone is on the same side, and it becomes a race between the defenders who are working to mitigate and remediate the threats and the attackers whose goal is to exploit the vulnerabilities. VxRail being co-engineered with VMware, we are read in early on plans for security fixes, which enables VxRail team to quickly validate and prepare pre-qualified security patches
VxRail software lifecycle management makes what could be complex and risky update operations, easy to install, and safe to implement. The VxRail HCI system is the only system where all software components are engineered, tested, and released as a bundle. VxRail software bundles may include updates to BIOS, firmware, hypervisor, vSphere, or any of the included management components. If and when vulnerabilities are discovered, fixes are quickly developed to mitigate threats regardless of where they are. Update bundles are extensively tested on the VxRail hardware platform and the entire VxRail software stack before being released to customers.
Administrators are notified through the HCI System Software when updates are available. The administrator can then download the update bundle directly and initiate or schedule an orchestrated update process. Updates are performed as rolling processes while the system remains online serving the business. If a reboot is required, the VMs are automatically migrated to other nodes in the cluster before continuing.
Not only does HCI System Software lifecycle management reduce complexity, but it also makes the infrastructure more secure by reducing the time and difficulty it takes to patch systems and remove the risk.
VxRail leverages the built-in vSphere availability features including VMware High Availability (HA), VMware Distributed Resource Scheduler (DRS), and VMware stretched clusters. These capabilities support VxRail automated software and provide continuous availability of services hosted on the VxRail. Therefore, it’s recommended that customers use versions of vSphere that include these capabilities.
VMware HA monitors running VMs in a VxRail cluster. If a VM or node fails, HA restarts on another node elsewhere in the cluster. A VM can fail for a number of reasons, including a cyber-attack, failure of the underlying hardware, or corrupted software. Although VMware HA does not prevent outages, it minimizes the time it takes to restore services.
VMware DRS spread the VM workload across all the hosts in the cluster. As VM resource demands change, DRS will migrate VM workloads, using vSphere vMotion, to other hosts within the cluster. Cyber-attacks can cause resource issues for VMs not targeted by the attack. Cyber-attacks often cause heavy resource utilization by the VM being attacked, and therefore heavy utilization of resources at the host level, which impacts the resources available for other VMs on that host. DRS protects VMs by migrating them away from resource-constrained hosts, enabling the VMs to continue to provide services.
VMware stretched cluster extends the VxRail cluster from a single site to stretching the cluster across two sites for a higher level of availability. Only a single instance of a VM exists, however, fully copies of its data are maintained at both sites. Should the current site the VM is running on becomes unavailable, then the VM will be restarted at the other site.
Strong security defenses are critical, but a robust and trusted recovery plan is equally important. Backup and replications are the cornerstones of recovery after a breach. In order to aid in recovery, HCI System Software includes file-based backup and restore. All VxRail Appliances incorporates a starter pack for Dell EMC RecoverPoint for VM (RP4VM), which provides best-in-class local and remote replication and granular recovery.
HCI System Software file-based backup and restore protects against the accidental deletion of the virtual appliance or the internal corruption of the appliance. Backups can be configured to occur regularly or on an as-needed basis. This is an all-inclusive feature that backs up files inside the vSAN datastore so additional hardware and software are not required.
With RP4VM, if, for example, a VM is compromised, or data is damaged or ransomed, the VM and dataset quickly roll back to the point in time prior to the attack, allowing the business to quickly recover. Installed directly from VxRail Manager, RP4VM is quickly deployed, and day-to-day monitoring occurs through the familiar vCenter plug-in. Recovery is easy and performed using a familiar vSphere interface.
For organizations that require enhanced, comprehensive data protection capabilities, VxRail supports options including Dell EMC Data Protection Suite for VMware, Dell EMC Power Protect, and Dell EMC Data Domain Virtual Edition.
File-based backups of VxRail HCI System Software help to ensure business continuity in the rare event the VxRail VM needs to be rebuilt.