Information Security

Nutanix Tech Note

Version 2.1 • July 2018 • TN-2026

 Information Security

Copyright
Copyright 2018 Nutanix, Inc.
Nutanix, Inc.
1740 Technology Drive, Suite 150
San Jose, CA 95110
All rights reserved. This product is protected by U.S. and international copyright and intellectual
property laws.
Nutanix is a trademark of Nutanix, Inc. in the United States and/or other jurisdictions. All other
marks and names mentioned herein may be trademarks of their respective companies.

Copyright | 2
 Information Security

Contents

1. Executive Summary................................................................................ 4

2. Introduction..............................................................................................5
2.1. Audience........................................................................................................................ 5
2.2. Purpose..........................................................................................................................5

3. Nutanix Enterprise Cloud Overview...................................................... 6

3.1. Nutanix Acropolis Architecture...................................................................................... 7

4. Security Development Life Cycle.......................................................... 8

5. Security Technical Implementation Guides........................................ 10

6. Native Local Key Manager................................................................... 13

7. Software-Based Data-at-Rest Encryption........................................... 16

8. Conclusion............................................................................................. 18

Appendix......................................................................................................................... 19
Risk Management Features................................................................................................19
About Nutanix......................................................................................................................20

List of Figures................................................................................................................21

List of Tables................................................................................................................. 22

3
 Information Security

1. Executive Summary
Cybersecurity threats grow and change every day, demanding perpetual vigilance and adaptation
to the shifting security landscape. However, upgrading security in a traditional three-tier
architecture is so time consuming and expensive, often involving multiple separate vendors,
that some enterprises put off innovation. In light of competing concerns—the need to reclaim
resources for innovation versus the need to keep costs down—corporate and government
environments demand a simpler approach: one vendor, with a technology platform secured by
design, and automated security compliance and reporting.
Nutanix takes a holistic approach to security, with an inherently secure platform, extensive
automation, and a robust partner ecosystem. The Nutanix security development life cycle
(SecDL) integrates security into every step of product development, rather than applying it as
an afterthought. The SecDL is a foundational part of product design. The pervasive culture
and processes built around security harden the Enterprise Cloud OS and eliminate zero-day
vulnerabilities. For example, research and development teams work together to fully understand
all the code in the product, whether it is produced in-house or inherited from dependencies.
We schedule product updates to handle known common vulnerabilities and exposures (CVEs)
for minor release cycles, and backport all dependencies to their latest release versions in
major release cycles. This approach significantly reduces zero-day risks without slowing down
product evolution. Efficient one-click operations and self-healing security models easily enable
automation to maintain security in an always-on hyperconverged solution. Expanding beyond
the platform into a robust set of security partners, Nutanix delivers validated joint solutions with
security-focused vendors.
Because traditional manual configuration and checks cannot keep up with the ever-growing
list of security requirements, Nutanix conforms to RHEL 7 Security Technical Implementation
Guides (STIGs) that use machine-readable code to automate compliance against rigorous
common standards. Currently, Nutanix tracks over 1,700 security entities across storage and
AHV. With Nutanix security configuration management automation (SCMA), you can quickly and
continually assess and remediate your platform to ensure that it meets or exceeds all regulatory
requirements.
As regulations become more cumbersome and threats continue to proliferate, a fully tested
platform with security at the forefront is the best choice for meeting tomorrow’s challenges today.
The Enterprise Cloud shrinks the compliance auditing window from months to minutes, allowing
you to focus instead on the applications that drive the business.

1. Executive Summary | 4
 Information Security

2. Introduction

2.1. Audience
This technical note is intended for security-minded people responsible for architecting, managing,
and supporting infrastructures, especially those who want to address security without adding
more human resources or additional processes to their datacenters.

2.2. Purpose
This document offers an overview of the security development life cycle (SecDL) Nutanix uses to
develop code and describes the extra measures we take to harden our platform. We show how
Nutanix exceeds security regulations and that running our platform streamlines infrastructure
security management.

Table 1: Document Version History

Version
Published Notes
Number
1.0 November 2015 Original publication.
1.1 February 2016 Minor updates throughout.
1.2 March 2016 Updated Executive Summary.
1.3 June 2017 Updated platform overview.
Updated for AOS 5.5 and software-based data-at-rest
2.0 December 2017
encryption.
Updated for AOS 5.8 software-based data-at-rest encryption
2.1 July 2018
with native key management.

2. Introduction | 5
 Information Security

3. Nutanix Enterprise Cloud Overview

Nutanix delivers a web-scale, hyperconverged infrastructure solution purpose-built for
virtualization and cloud environments. This solution brings the scale, resilience, and economic
benefits of web-scale architecture to the enterprise through the Nutanix Enterprise Cloud
Platform, which combines three product families—Nutanix Acropolis, Nutanix Prism, and Nutanix
Calm.
Attributes of this Enterprise Cloud OS include:
• Optimized for storage and compute resources.
• Machine learning to plan for and adapt to changing conditions automatically.
• Self-healing to tolerate and adjust to component failures.
• API-based automation and rich analytics.
• Simplified one-click upgrade.
• Native file services for user and application data.
• Native backup and disaster recovery solutions.
• Powerful and feature-rich virtualization.
• Flexible software-defined networking for visualization, automation, and security.
• Cloud automation and life cycle management.
Nutanix Acropolis provides data services and can be broken down into three foundational
components: the Distributed Storage Fabric (DSF), the App Mobility Fabric (AMF), and AHV.
Prism furnishes one-click infrastructure management for virtual environments running on
Acropolis. Acropolis is hypervisor agnostic, supporting three third-party hypervisors—ESXi,
Hyper-V, and XenServer—in addition to the native Nutanix hypervisor, AHV.

Figure 1: Nutanix Enterprise Cloud

3. Nutanix Enterprise Cloud Overview | 6

 Information Security

3.1. Nutanix Acropolis Architecture

Acropolis does not rely on traditional SAN or NAS storage or expensive storage network
interconnects. It combines highly dense storage and server compute (CPU and RAM) into a
single platform building block. Each building block delivers a unified, scale-out, shared-nothing
architecture with no single points of failure.
The Nutanix solution requires no SAN constructs, such as LUNs, RAID groups, or expensive
storage switches. All storage management is VM-centric, and I/O is optimized at the VM virtual
disk level. The software solution runs on nodes from a variety of manufacturers that are either
all-flash for optimal performance, or a hybrid combination of SSD and HDD that provides a
combination of performance and additional capacity. The DSF automatically tiers data across the
cluster to different classes of storage devices using intelligent data placement algorithms. For
best performance, algorithms make sure the most frequently used data is available in memory or
in flash on the node local to the VM.
To learn more about the Nutanix Enterprise Cloud, please visit the Nutanix Bible and
Nutanix.com.

3. Nutanix Enterprise Cloud Overview | 7

 Information Security

4. Security Development Life Cycle

Security can be especially costly when working with independently developed products created
within their own silos. Even with traditional converged infrastructure, security is often an
afterthought when developing a solution. The need for interoperability can take precedence over
security best practices, weakening the overall design. Nutanix makes security an important part
of every process in the development cycle, which helps us catch security vulnerabilities early and
move to patch without impact.
To maintain agile and comprehensive continuous security, Nutanix has developed its own
security development life cycle (SecDL). SecDL makes security a first-class citizen that leads
and develops best practices within Nutanix and for our customers. It integrates security features
into the software development process, including automated security testing during development
and threat modeling to assess and mitigate customer risk from code changes. A cross-functional
process run by the Nutanix Security Engineering and Research Team (nSERT), SecDL provides
both defense in depth and a “hardened by default” posture for releases.

Figure 2: SecDL Testing Is Fully Automated During Development

The SecDL is not a bolt-on to an existing software development process. The entire process
incorporates security at every stage of development—from the first day of code inclusion to
deployment. Using agile development methods instead of the classic waterfall methodology
allows developers to iterate quickly and to incorporate security without slowing development.
Prioritizing security means more than writing code that is secure; it occasionally means removing
or replacing problematic code as well. For example, the Nutanix team stopped supporting SSL
(Secure Sockets Layer) protocol in our product in favor of TLS (Transport Layer Security). This
decision has already prevented attacks.
After coding is complete, the QA process includes multiple security scans to reinforce
components and substantially reduce common vulnerabilities. Security researchers and

4. Security Development Life Cycle | 8

 Information Security

developers, working in a silo-free environment, recommend changes to the code and to the
process to harden every service at every layer.
During the maintenance portion of the life cycle, the SecDL process greatly simplifies applying
and maintaining required security configuration changes. Customers no longer have to keep
track of security vulnerabilities and interpret them one at a time, determining the correct course
of action in a piecemeal, almost speculative fashion. nSERT analyzes security problems for
you, then publishes recommendations that can be applied through one-click upgrades in the
Prism UI. These security-specific upgrades are automated for speed, reducing human error and
maintaining uptime.

Figure 3: Nutanix Agile Development Model

Having security at the forefront for the company—including for developers—empowers Nutanix
to respond to security threats swiftly and allows for easy and rapid product updates, rather than
having to return to the beginning of the development life cycle for each innovation. This process
is drastically different from that of other vendors, who make products and features generally
available, then release updates at six-month intervals. The best part of the Nutanix development
model is that all security updates are tested across the platform, from AOS, Acropolis File
Services (AFS), and the Self-Service Portal (SSP), to disaster recovery and AHV, drastically
reducing operational overhead.

4. Security Development Life Cycle | 9

 Information Security

5. Security Technical Implementation Guides

Managing security best practices in environments that aren’t heavily regulated can be a lot
like eating right. We all know we should eat more fruits and vegetables, but often we just pick
the easiest or cheapest option. Much as nutrition affects us regardless of whether we have a
parent watching what we eat, security best practices are relevant to all verticals regardless of
regulation. For this reason, and to ensure security against changing internal and external forces,
we automate validation so that compliance becomes the easiest option as well as the healthiest.
Nutanix has reduced the time and cost of validation by automating and testing Security Technical
Implementation Guides (STIGs) in house before shipping to customers. STIGs are based on
common National Institute of Standards and Technology (NIST) standards that can be applied to
multiple baseline requirements for the DoD and PCI-DSS.
The comprehensive STIGs are written in eXtensible Configuration Checklist Description Format
(XCCDF) in support of the Security Content Automation Protocol (SCAP) standard. This
machine-readable STIG format automates assessment tools and eliminates time-consuming
testing. Because the STIGs are machine-readable, they are ideal candidates for third-party apps
that probe for deficiencies in a system configuration.

Note: The XCCDF XML format is highly efficient for conversion from a manual
process to machine automation. Designed specifically to meet the SCAP standard,
the XML format is future-proof in that it supports the transition to the DoD Information
Assurance Risk Management Framework (DIARMF) for continuous monitoring.
Any third-party system that understands XCCDF-style formatting can consume the
STIGs.

Previously, it took countless hours to manually check files or find obscure settings. Even worse,
administrators had to track any aspects that couldn’t be automated in static spreadsheets. As a
result of automating these testing tasks, the accreditation process time for the DoD Information
Assurance Certification and Accreditation Process (DIACAP) has been shortened from as long
as a year to less than half an hour. This speed allows you to dynamically check an ever-changing
baseline.
Even with these advantages, simply offering the STIGs is not enough. Given that a system is
only known to be secure at the time of the last verification, you need to consistently examine the
baseline for compliance. To make such consistency easier, Nutanix has implemented security
configuration management automation (SCMA) to check over 800 security entities for both
Nutanix storage and AHV. Nutanix automatically reports log inconsistencies and reverts them to
the baseline.

5. Security Technical Implementation Guides | 10

 Information Security

This embedded SCMA also covers frustrating maintenance scenarios in which you upgrade your
storage or hypervisor software only to find that the new software has overwritten your careful
configuration work, forcing you to go through all the settings again from scratch. Returning to the
baseline manually is slow and error-prone, often causing significant problems, particularly when
dealing with major release upgrades. Companies have had to delay upgrading their systems
to preserve security compliance, even when an upgrade would offer new features required to
support the business. Nutanix SCMA means that businesses don’t have to shoulder the burden
of interoperability testing or go through cumbersome steps to manually inspect and revert the
upgraded system to a known good state.
With SCMA, you can schedule STIGs to run hourly, daily, weekly, or monthly. STIGs have the
lowest system priority within the virtual storage controller, ensuring that security checks do not
interfere with platform performance.
Multiple Nutanix clusters—deployed using the same gold image—inherit the same security
controls, so you only have to set them once, and Prism Central allows you to manage and
monitor them with an embedded self-service functionality. When Nutanix adds new features,
security is not an afterthought, so you’re never left vulnerable. When customers choose AHV,
they can have, out of the box, the most secure platform by default on the market today.

Figure 4: Check Content from the OS STIG

The figure above shows one example out of over 700 possible checks used for the AOS portion
of the RHEL STIG. Vulnerability Discussion addresses the rule and states what the expected
value should be. Check Content contains the machine-readable code used to automate the

5. Security Technical Implementation Guides | 11

 Information Security

check. A rule may have no check content information if the topic is addressed elsewhere; the
vulnerability discussion notes these cases.
Our compliance with RHEL 7 STIGs differs from other vendors’ compliance with other STIGs in
that we write all of the check and fix content (XML tags) as single lines of executable code. Most
manual checks require you to read through guides and interpret how to find and fix the open
vulnerabilities. In contrast, RHEL 7 STIGs remove both the labor and the ambiguity of manual
inspections—anytime you need to check compliance, simply run the STIG reports.
Our in-depth platform knowledge also enables an entirely different level of security. We don’t
expect customers to know more about securing our products than we do ourselves. Ownership
and direction have to come from the vendor to ensure a secure and seamless experience.

5. Security Technical Implementation Guides | 12

 Information Security

6. Native Local Key Manager

To help reduce cost and complexity, Nutanix added a native local key manager (LKM) for all
clusters with three or more nodes. The LKM runs as a service distributed among all the nodes.
It is easily activated from within Prism Element, so all customers can enable encryption without
yet another silo to manage. Customers looking to simplify their infrastructure operations can now
have one-click infrastructure for their key manager as well.
Usually, external key managers (EKMs) need to be purchased separately for both software and
hardware. Since the Nutanix LKM is running natively within the controller virtual machine (CVM),
it’s highly available and there is no variable add-on pricing based on the number of nodes. Every
time you add a node you know the final cost. There is also peace of mind because when you go
to upgrade your cluster, the key management services are also going to be upgraded. By having
both the infrastructure and management services upgraded in lockstep, you’re ensuring your
security posture and availability by staying in line with the support matrix.
Data is encrypted using a data encryption key (DEK). The native LKM service uses the FIPS
140 Crypto module to keep all the DEKs safe. No separate VMs are needed to support the
native LKM. Every storage container has its own DEK, which is typically then encrypted by a
key encryption key (KEK) that is sent to an EKM. Now that Nutanix supports its own native
LKM, Nutanix also takes the KEK and wraps it with a 256-bit encryption key called the machine
encryption key (MEK). The MEK is distributed among the CVMs in the cluster using a splitting
algorithm.
Since the MEK is shared, each node can read what other nodes have written. In order to
reconstruct the keys, a majority of the nodes need to be present. We use the equation K =
Ceiling (N / 2) to determine how many nodes are required for the majority. For example, in an 11-
node cluster (N = 11), we would need 6 nodes online to decrypt the data.

6. Native Local Key Manager | 13

 Information Security

Figure 5: EKM and LKM Workflows

Nutanix also provides an easy way to back up your DEKs from Prism. Each storage container
has a DEK, so when a new storage container is created, an alert is generated encouraging
administrators to make a backup. The backup is password protected and should be securely
stored. With the backup in hand, if a catastrophic event happens in your datacenter, you can
replicate the data and reimport the backup keys to get your environment up and running.

6. Native Local Key Manager | 14

 Information Security

Figure 6: Securely Stored Backup DEK

6. Native Local Key Manager | 15

 Information Security

7. Software-Based Data-at-Rest Encryption

Software-based data-at-rest encryption (DARE) is available across Hyper-V, ESXi, and AHV for
x86 platforms. Software-based encryption uses the Intel Advanced Encryption Standard (AES)
New Instructions (NI), an encryption instruction set that improves on the AES algorithm and
accelerates data encryption. Supporting AES NI in software gives customers flexibility across
hardware models while reducing CPU overhead. The default encryption setting is AES-256.
Encryption is not reversible. If your data must be encrypted, you don’t want to be able to shut
encryption off. Because Nutanix does not allow your administrators to turn off encryption, you can
prevent the insider attack of someone disabling the control and walking away with your data.
For ESXi and Hyper-V, software DARE operates at the storage container level, and you can
move data from unencrypted to encrypted containers. Container-level encryption must be turned
on when the container is created. With ESXi, Hyper-V, and AHV, you can also decide to encrypt
the entire cluster. If you decide to encrypt at the cluster level, you must set encryption for new
clusters when you create them. When using cluster-level encryption, you cannot have written
user data; with ESXi and Hyper-V, all data must be already encrypted at the container level.
Key management with encryption can be challenging, but it’s very important. If you don’t manage
the keys properly, you can leave your data vulnerable. To safeguard your keys, Nutanix supports
third-party external key management as well as our native local key manager (LKM).
AOS places keys in a distributed key-value store, where they are available for use by a service
called Mantle. A highly available service, Mantle runs on all nodes in the cluster and acts as a
proxy for the external key manager (EKM) and internal AOS services. Mantle also allows you to
rotate the keys easily across the entire cluster. When you use Prism to create a new container
with encryption turned on, Prism generates the new 512-bit data encryption key (DEK) and tells
Mantle to store it. Mantle then wraps the DEK with a 256-bit key encryption key (KEK) and stores
it in your EKMs when using self-encrypting drives (SEDs) or the process described in the native
LKM section. When a service needs to be decrypted, Mantle fetches the KEK to decrypt the
DEK. When a service like Stargate starts up, the system fetches the key from Mantle and caches
it on the client side.
Software DARE enables all capacity transformations. If you have deduplication and compression
turned on, new user data in the system has its hash computed first. After the hash is computed,
the system compresses and encrypts the data before storing it on disk. Once the data is
encrypted, you can still apply Nutanix erasure coding (EC-X) to it. Data is always encrypted at
the source, then replicated for availability; this approach avoids doubling the work and wasting
CPU cycles. The diagram below breaks down this workflow.

7. Software-Based Data-at-Rest Encryption | 16

 Information Security

Figure 7: Encryption Workflow

Because the oplog and the extent store use different file system layouts and indexing schemes
for data, oplog encryption must be redone when the data reaches the extent store. Nutanix
makes sure that, at any point in time, two blocks of encrypted data in the system don’t share the
same initialization vector (IV). The IV adds more randomization to the encryption process so that
someone monitoring the system can’t detect patterns about the plain text.

7. Software-Based Data-at-Rest Encryption | 17

 Information Security

8. Conclusion
Security is a preeminent concern at Nutanix, permeating every aspect of our design and creating
efficiencies for your business. The Nutanix SecDL provides defense in depth and a hardened-
by-default posture right out of the box. The RHEL 7 STIG with SCMA offers quick insight on
your environment’s security posture and frees up time by shrinking compliance and regulatory
windows. Automating the ongoing process of hardening and compliance gives customers
the most secure platform right from the start and in the future. Our use of agile development
also means that customers benefit from rapid security enhancements and reduced zero-day
vulnerabilities. Instead of wasting time on issues like interoperability, customers can devote their
resources to providing value to the company. Nutanix achieves always-on security alongside
performance, ease of use, and uninterrupted uptime by addressing it throughout the entire
solution.

8. Conclusion | 18
 Information Security

Appendix

Risk Management Features

In addition to SecDL and the RHEL 7 STIG, Nutanix also provides options for the risk
management features that have become requirements for most organizations.
• Log shipping
The Nutanix CVM provides a simple method for preserving CVM log integrity across a cluster.
The cluster-wide log shipping setting can forward all logs to a central log host. Local logs lack
integrity because there is the possibility of privilege escalation and someone deleting logs to
cover their tracks.
• Forensics
Verifying the integrity of critical CVM files with an internal database allows us to track
configuration and file changes. The system monitors CVM files and can alert you if changes
have occurred.
• SELinux enabled
SELinux can protect the system from malicious code, providing an additional layer of security.
• Two-factor authentication
Enforces two-factor authentication for system administrators in environments with stringent
security needs. When implemented, logons require both a client certificate and a user name
and password. Administrators can use local accounts or Active Directory for user names and
passwords. Nutanix also supports Common Access Cards (CACs).
• Cluster lockdown
Allows administrators to restrict access to a Nutanix cluster in security-conscious
environments, such as government facilities and healthcare provider systems. Cluster
lockdown disables interactive shell logons automatically.
• Disk encryption
The Nutanix disk encryption solution is not only centralized but also Federal Information
Processing Standard (FIPS) validated—this includes our self-encrypting drives (SEDs)
and third-party key management service (KMS). Vormetric, SafeNet, and IBM Security Key
Lifecycle Manager are supported KMS providers.
• Secure erase

Appendix | 19
 Information Security

Disk encryption systems can securely erase a drive removed from the Prism UI.
• Key rotation
If the KMS becomes compromised, only the machine encryption key (MEK) needs to be
reencrypted. You don’t need to reencrypt any data, making operations simple and easy.
• Password complexity support
Enables additional rules to meet regulatory requirements.
• Banner support
Adds warnings and custom prompts when logging on to the CVM or Prism to meet federal and
compliance regulations.

About Nutanix
Nutanix makes infrastructure invisible, elevating IT to focus on the applications and services that
power their business. The Nutanix Enterprise Cloud OS leverages web-scale engineering and
consumer-grade design to natively converge compute, virtualization, and storage into a resilient,
software-defined solution with rich machine intelligence. The result is predictable performance,
cloud-like infrastructure consumption, robust security, and seamless application mobility for a
broad range of enterprise applications. Learn more at www.nutanix.com or follow us on Twitter
@nutanix.

Appendix | 20
 Information Security

List of Figures
Figure 1: Nutanix Enterprise Cloud................................................................................... 6

Figure 2: SecDL Testing Is Fully Automated During Development................................... 8

Figure 3: Nutanix Agile Development Model.....................................................................9

Figure 4: Check Content from the OS STIG................................................................... 11

Figure 5: EKM and LKM Workflows................................................................................ 14

Figure 6: Securely Stored Backup DEK.......................................................................... 15

Figure 7: Encryption Workflow........................................................................................ 17

21
 Information Security

List of Tables
Table 1: Document Version History.................................................................................. 5

22