Nutanix Helps Federal Agencies Accelerate their alignment to Zero Trust Architecture

The numbers are daunting: about 78% of organizations have been victims of one or more cyber attacks. Threats are growing at an astonishing rate of 350% in ransomware alone, and those breaches can be incredibly costly, on average $3.86 million per incident. Nearly half of U.S. federal government respondents in the 2021 Thales Data Threat Report noted they have experienced a security breach at some point, and of these, 47% said they had experienced a breach in the last 12 months. It is common knowledge that every organization faces cyber threats, and the risk is both external as well as internal, whether due to human error or bad actors.

Cybersecurity risk increases with complexity. Government agencies typically have a complex IT ecosystem, composed of a mix of legacy data centers, private clouds, and numerous public clouds. Furthermore, virtual machines and cloud computing have eliminated traditional data security boundaries. The distributed nature of data across dissimilar IT environments has created new security challenges for the public sector. Separate silos of enterprise storage, networks, and servers mean more complexity and staff to support, but also it means more vulnerability and possible attack points. Moreover, with most organizations moving to a “work from home” model due to the pandemic, cyber predators have taken advantage of easier access to sensitive data and networks, as well as the relative ease at which they can leverage sophisticated models of attack.

With the Executive Order on Improving the Nation’s Cybersecurity, every Federal agency is mandated to adopt a Zero Trust Architecture (ZTA). ZTA was developed to give greater protection to data given the disparate nature of IT as it exists today. ZTA was ratified by the publication of NIST SP800-207, and further referenced in the NSA Cybersecurity Information sheet.

ZTA works on the premise that access to digital objects, like resources, applications, data and metadata should never be implicitly granted. Instead, access should be constantly and continuously evaluated to be appropriate. This strategy moves the boundary of “challenge response” from a perimeter-based approach to a more pervasive model that is closer to the resource being accessed, each and every time.

Don’t be fooled into thinking that ZTA can be accomplished with a specific tool, or by addressing Identity and Access Management or Network Security best practices. ZTA implementation and compliance can be tricky and is continuous. IT organizations must embrace a new mindset to how they build and secure systems in a ZTA.

Nutanix integrates security into every step of its solution stack from the early stages of development. For example, the stack conforms to Security Technical Implementation Guides (STIGs), which maintain a security baseline configuration based on common standards established by the National Institute of Standards and Technology (NIST). Nutanix products were tested and selected for inclusion on the Department of Defense Information Network (DoDIN) Approved products List (APL).

The Nutanix® Cloud Platform includes recent innovations with the launch of AOS™ version 6 software, to help government agencies and the military build modern, software-defined data centers and speed their hybrid multicloud deployments. Through these new features, government IT will get powerful built-in virtual networking, enhanced disaster recovery, and simplified zero-trust security that otherwise would require additional specialized hardware, software, and skills. Most importantly, due to the integrated nature of the Nutanix Cloud Platform, all functionality is managed through a single interface significantly decreasing operational overhead.

Nutanix can accelerate government IT’s alignment to NIST 800-207 ZTA by providing the necessary foundation on which government agencies can build their IT environment, whether on-premises (private cloud), public cloud or hybrid multicloud. This foundation is composed of software and automation, including the following:

• Nutanix AOS, which is a true hybrid cloud operating system, architected with ZTA concepts baked into its fabric. Nutanix AOS is hardened out of the box with machine-readable Security Technical Implementation Guides (STIGs). AOS maintains this security baseline by self-healing deviations (or “drift”) with a system-wide Security Configuration Management Automation (SCMA) daemon.
• Nutanix AOS also includes Native Data-at-Rest Encryption: with FIPS 140-2 validated modules ; Native KMS (Key management of the encryption keys), Advanced Replication between clusters for end-to-end Disaster Recovery (DR).
• A ‘circle of trust’ in the boot process can be established, preventing unverified implicit trust from the support for UEFI Secure boot for User Virtual Machines (UVM) and the Nutanix native hypervisor AHV.
• Applications can be built and monitored on the Nutanix cluster management interface, Prism. Prism is an HTML 5 interface, enabling you to manage your entire stack; no plug-ins to install. When licensed with Prism Pro, additional functionality is introduced to enhance your security posture, including:
• Anomaly detection
• Advanced troubleshooting
• Monitoring for external environments, and reporting
• Smart automation – no code operations (e.g. Secure Development Lifecycle: To limit vulnerabilities and ensure patching, software must be audited for compliance regularly and upgrades should be made when necessary—Nutanix leverages its AOS solution as a hardened software platform for hyperconverged infrastructure (HCI).
• Automated workflow to add resources to a system
• Policies are auto updated throughout the VM lifecycle automatically within Prism, removing the burdens of change management
• Nutanix Flow Security’s microsegmentation is a key to applying “Zero Trust” at the network level, where policy becomes the new network security perimeter . Fine-grained network policy helps limit applications and users to only the resources they require. Microsegmentation also controls east-west (VM to VM) traffic to reduce the risk of threats (e.g., malware or ransomware) spreading laterally across the data center. It is built right into the AHV hypervisor with no additional software to install on the end-point. It can be activated and configured in minutes to act as a VM level firewall to enforce static trust boundaries where high-security is required (such as only opening well-known ports or isolation for high security zones).
• Nutanix Flow Security Central is a software-as-a-service (SaaS) security operations portal enabling visibility and control of Nutanix security configurations. It provides the following features out-of-the-box:
• Audit and reporting for common security and compliance frameworks such as HIPAA, PCI, and NIST
• Network traffic visibility and insights
• The ability to create custom audit checks to align with your specific security compliance needs
• Identity-based network policy – The Identity Firewall in Nutanix Flow Security applies policies of a user’s identity t o enable additional security context. Group and role information pulled from directory services combine to create a more granular yet dynamic policy model.

• Zero Trust architecture is about adding more challenge response mechanisms and putting them closer to the resources being accessed. Nutanix Files and Files Analytics can facilitate an element of this by alerting, monitoring and restricting access to Files and File shares. A common use of these APIs is forwarding these events to a Syslog server for retention and audit trails. While logging audit trails is useful, functionality simplifying insights into this data is a must.
• Nutanix File Analytics delivers additional insights on the underlying data and user activity, such as anomaly alerts and permission denials, which is powerful against the real-time identification of malware or other nefarious activity.
• Nutanix Objects allows you to store data over a long period with features designed to comply with strict regulations, such as the minimum period for which data must be available or who can alter data. For example, WORM buckets prevent anyone (including an administrator) from modifying or deleting data while the policy is active. Government agencies can integrate Objects with backup applications such as Commvault, HYCU, Veeam, and Veritas. Native IAM functionality ensures that you have access only to the buckets and objects you created and granted access permissions.
• Nutanix Mine extends an existing data protection provider to provide a single platform for organizations experiencing the benefits of Nutanix Enterprise OS as these organizations can simply extend their existing integrated data protection to including secondary data backup and archiving all in a turnkey backup solution powered by our platform partners.
• Enhanced Governance for Databases - Nutanix Era now delivers increased security capabilities through role-based access controls for shared access to databases and to database operations and tasks. This allows Federal agencies to easily implement their own security and compliance policies for database controls and accessibility. For instance, database administrators can use the new RBAC capabilities to share specific data with developers, while retaining control.
• In addition, Nutanix offers a Storage Consolidation Workshop to help government agencies assess and plan the migration process for existing Block, File and Object data. This workshop delivers a detailed migration plan tailored to your specific requirements and aligns to ZTA.