Configuring security can be a complex, error-prone process that has many of the same risks that it seeks to mitigate. Three different elements simplify the process of securing the VxRail infrastructure. First, vSphere has a “secure by default” approach to configuration. Second, Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs) give a blueprint for security hardening, and a variety of automation tools allow the monitoring and configuration of security parameters to be checked and configured as necessary. This enables the appropriate risk profile to be configured to correspond with the business needs. Finally, the ability to automate reverting the configuration back to a known secure state when unexpected changes occur is a vital part of VxRail security.
Starting with vSphere 6.0, VMware began an initiative to make security the default setting for vSphere. This makes VxRail more secure straight out of the box. As part of this initiative, most recommended security settings were classified as either site specific or changed to a default to the secure setting. Settings that previously had to be changed after installation were updated so the secure setting became the default.
Configuration settings that are classified as site-specific cannot be configured by default. For example, the hostname of a remote syslog or NTP server. With VxRail, many of the settings that VMware classifies as site-specific are configured by HCI System Software as part of the installation.
Many organizations use STIGs as a baseline to harden their systems. These STIGs provide a checklist in both a human readable PDF and an automated script. This enables automation tools to read the STIG and configure the environment to match the recommended configuration with minimal manual intervention. While existing VMware STIGs cover VxRail components including vSphere, ESXi, and vSAN make implementation as easy as possible. Dell VxRail Appliance running VxRail Appliance software v4.5.x or 4.7.x comply with relevant DISA Security Technical Implementation Guidelines (STIG) requirements.
Over time, configurations can drift to less secure positions. Because of this, it’s important to not only monitor the configuration but also automate the restoration of the environment to the initial secure state. VxRail supports multiple different options depending on the level of automation required. VxRail has automated hardening tools that check the current configuration against a STIG, and if the configuration has changed, revert the configuration back to the known safe state. If a more extensive automation tool is required, VMware vRealize Suite works with VxRail environments to automate configuration management while maintaining governance and control. In addition, VMware offers AppDefense, a more application-focused tool that uses machine learning to gather information about a known good state for VMs and the applications they support. With this tool, when a variation from the known good state is detected, the administrator will be notified, and a response can be automated from a library of incident response routines.
VxRail Analytical Consulting Engine (ACE) Global Orchestration complements the built-in operational simplicity with operational intelligence for the VxRail clusters. VxRail ACE delivers a combination of operational simplicity and operational intelligence with intrinsic security, enabling companies’ pursuit of IT infrastructure transformation
VxRail ACE runs on a Dell EMC IT managed cloud platform. As a cloud-based SaaS solution, VxRail ACE has the flexibility to deliver new functionality frequently and without disruption, providing an exceptional customer experience. Its neural network for deep learning will continually improve its predictive capabilities as it ingests the wealth of metadata VxRail can collect about its clusters.
VxRail users can access VxRail ACE at https://vxrailace.emc.com using their Dell EMC support credentials.