Security built into SaaS multi-cluster management

VxRail HCI System Software SaaS multi-cluster management complements the built-in operational simplicity with operational intelligence for VxRail clusters. SaaS multi-cluster management delivers a combination of operational simplicity and operational intelligence with intrinsic security, enabling companies pursuit of IT infrastructure transformation.

SaaS multi-cluster management runs on a Dell EMC IT-managed cloud platform. As a cloud-based SaaS solution, SaaS multi-cluster management has the flexibility to deliver new functionality frequently and without disruption, providing an exceptional customer experience. Its neural network for deep learning will continually improve its predictive capabilities as it ingests the wealth of metadata VxRail can collect about its clusters.

VxRail users can access SaaS multi-cluster management via a web portal, MyVxRail, at https://myvxrail.dell.com using their Dell EMC support credentials.

SaaS multi-cluster management collects telemetry data from VxRail nodes across the organizations VxRail clusters via a data collector service running on VxRail HCI System Software. It securely transmits that data to the cloud platform via the Secure Remote Services (SRS) gateway, as shown in the following figure:

Figure 11.               SaaS multi-cluster management connectivity

Dell EMC understands customers concerns in maintaining the security of their data. Security is intrinsic to SaaS multi-cluster management, from data collection through data transit and at rest. In addition, SaaS multi-cluster management has been securely developed using architectural controls as part of the Dell EMC standard Security Development Lifecycle. This standard defines the security-focused activities Dell EMC product teams must follow when building and releasing products in order to enable Dell EMC products to minimize the risks to our products and customer environments from security vulnerabilities.

SaaS multi-cluster management data collection

On each VxRail cluster, the Adaptive Data Collector (ADC) service retrieves telemetry data from the HCI System Software through VxRail hardware and software connectors. ADC does not collect any Personally Identifiable Information (PII). The telemetry data collected by the ADC is shown in the following table:

Table 1.              VxRail telemetry data collected by SaaS multi-cluster management

Telemetry data collected by the ADC is not stored locally; the data is transmitted securely over the Dell SRS Gateway.

SaaS multi-cluster management data in transit to Dell

Only data collected by the Adaptive Data Collector (ADC) is sent to the Dell EMC backend. SaaS multi-cluster management subscribes for notifications of HCI system data arrival via the SRS Gateway.  Customers control which systems send HCI system data over the gateway.  All data transmitted over the Dell EMC SRS Gateway is protected in transit by industry-standard best practices. The SRS Gateway is bi-directionally authenticated using RSA® digital certificates in conjunction with customer-controlled access policies and a detailed audit log. Point-to-point communication is established through Advanced Encryption Standard (AES)-256 bit encryption, ensuring all data is securely transported to the Dell EMC IT-managed infrastructure. SRS provides for dedicated VPN and multi-factor authentication. Once the data arrives at Dell, SaaS multi-cluster management encrypts and stores the data in its own Dell EMC IT-managed infrastructure.

SaaS multi-cluster management data at rest

HCI system data received from clusters enabled for telemetry data collection is encrypted and stored on the Dell EMC IT managed Dell infrastructure.

The Dell EMC IT infrastructure:

• Provides a secure platform that ensures each customer's telemetry data is isolated. 
• Provides High Availability, Fault Tolerance, and Disaster Recovery.
• Locates customer's telemetry data (including backups) in the U.S.
• Indefinitely retains historical data for systems that are actively being monitored by SaaS multi-cluster management, including SaaS multi-cluster management -derived insights.
• Gives each customer access to an independent, secure portal from which each user can only see those systems in SaaS multi-cluster management that are part of that user's site access as defined in Dell EMC MyService360.

Dell Technologies Security and Resiliency Office (SRO), led by Dell's Chief Security Officer, is responsible for the security and protection of Dell EMCs information technology infrastructure that hosts SaaS multi-cluster management SaaS solution. This is accomplished via established governing security policies and procedures and enforcement of Information Security controls, which include measures such as multi-layered firewalls, intrusion detection systems, industry-leading antivirus, and malware protection.  The Dell EMC cybersecurity team is involved in running continuous vulnerability scans on the application and underlying environment.  Any required remediation is handled through an ongoing vulnerability remediation program such as software upgrades, patches, or configuration changes. 

All data sent to SaaS multi-cluster management is stored on infrastructure hosted in the Dell EMC data center. The Information Security Policy ensures that all Dell EMC information and resources are properly protected, information owners must ensure all resources are accounted for, and each resource has a designated custodian. All infrastructure components are located in the dedicated Dell EMC firewall-protected enclave network that is not exposed to external access. No individual direct login to the database server and database is allowed, except by the members of the System Administrator and Database Administrator teams. Database application accounts are managed using standard database password authentication.  Dell EMC has implemented an industry best practice Change Management process to ensure that Dell EMC infrastructure hardware is stable, controlled, and protected. Change Management provides the policies, procedures, and tools needed to govern these changes to ensure that they undergo the appropriate reviews, approvals and are communicated effectively to users.

SaaS multi-cluster management data access control

SaaS multi-cluster management data access can be divided into two categories:

• Access by customers to MyVxRail web portal for viewing their system data and derived insights from SaaS multi-cluster management.
• Access by internal Dell EMC IT System Administrator and Database Administrator to SaaS multi-cluster management infrastructure that is managed by Dell EMC.

The sub-sections below describe how data access is controlled by these two categories of users.

End user access to SaaS multi-cluster management

Customers use their existing support account to login to MyVxRail. Access to SaaS multi-cluster management data from MyVxRail requires that each end user has a valid Dell EMC support account. Authentication is handled by Dell EMC's Single-Sign-On (SSO) infrastructure.  MyVxRail uses the Dell EMC MyService360 customer user profile for access control. The user profile is created and associated with a valid customer profile when the user registers for an account with Dell EMC.  MyVxRail provides each customer with a secure independent view of their systems and ensures that they will only see their data. Each user can only see those systems in MyVxRail that are part of that user's site access as per the configuration of that user in Dell EMC MyService360.

Administrative access to SaaS multi-cluster management infrastructure managed by Dell EMC IT

Dell EMC is very sensitive to the importance of protecting customers' proprietary and confidential information. To that end, all Dell EMC employees are required to sign an employee agreement, which includes provisions that address all customer information. The obligations of this agreement extend to any machine-stored data perceived, in any manner or format, while engaged in maintenance services and remain in effect even after termination of employment with Dell EMC.