Hyperconverged Infrastructure Security Best Practices
Hyperconverged Infrastructure (HCI) is being more widely adopted every day. There is so much hype around HCI that it can sometimes be easy to get lost in the maze of the amazing features inherent with its design. Many organizations are moving away from the traditional infrastructure deployments and taking advantage of having all of the data center components wrapped up in a single chassis.
When preparing for an HCI deployment, many organizations fail to plan properly in the realm of security. It’s a crucial step, however, that can’t be skipped. But how do you secure your HCI deployment, and will the conventional data security practices apply and offer the same protection to an HCI deployment? These are the questions that need to be answered, and HCI security best practices need to be applied to ensure your data’s integrity when moving to a new platform.
We’re now in the era where users require access to their applications and data at any time and from anywhere. The idea of anytime/anywhere access presents a reasonable security concern, for both the organization hosting the data and the individual accessing it. Enterprise mobility management software today can create a secure tunnel from your device back to the organization’s servers to enable secure access to documents and email.
Additionally, application wrapping basically creates a VPN wrapper around any application that might be a corporate entity and requires security. That means securing our HCI deployments to offer customers secure access to data and applications hosted within the deployment.
Be Aware of Insider Threats
The first thing that needs to happen is physical security of the hardware itself. There have of course been cases of data centers being broken into and physical hardware being destroyed or hard drives being stolen. Although this is still a concern, it’s much less common today.
The chief threats now usually lie inside an organization’s walls. Insider threats are a big problem, and can cause millions of dollars in damage and result in data loss or leaks. They can come in the form of a disgruntled employee, a recently-fired employee whose access hasen’t been removed, or an employee doing corporate espionage. These are the people who know your systems and where they’re vulnerable.
The best way to protect against insider threats is to utilize the principle of least privilege. Least privilege simply means providing the least amount of access to an individual that allows them to do their jobs. Do this by creating groups like Administrators, Super Users, Read Only, Storage Administrators, and limit their access and ability to do damage.
Protect Individual Components
It may seem strange to move to a unified data center platform and then break down and secure each component individually. However, doing this applies multiple layers of security, which is required in today’s data center infrastructures.
Although HCI nodes integrate all functions in one unit, they still create multiple footprints a hacker can attack. The goal is to secure the entire physical unit and all the components which reside within.
Fortunately, this is becoming easier. Many storage vendors are now offering software-defined encryption that secures your storage footprint both at-rest and in-transit. Hypervisor vendors offer fabric protection and shields for virtual machines that add more layers of protection for the virtualization components. Backup software has become increasingly more intelligent in the way it moves backups and does point-in-time restores for your infrastructure. The ability to link your backup software with a cloud vendor provides another layer of security as well. It’s equally important to secure both the HCI system as a whole, and each component individually.
Centralized Security is Key
The traditional method of securing the data center is too cumbersome for an HCI deployment. The benefit of HCI is agility, which is helped by eliminating more performance bottlenecks. Traditional security methods rely on full clients that are required to be installed on each endpoint. Instead of relying on an agent-per-endpoint approach, it’s best to centralize security and apply an agentless approach. Going agentless removes the speed bumps inherent with full agent-based security architecture. By allowing the HCI chassis management platform to provide security across the board, the focus is shifted toward the performance of your workloads instead of the security agent.
Practicing Defense-In-Depth
Remember that there is no single “best practice” for securing your HCI environment. Defense-in-depth requires a strategy of applying multiple layers of security to your infrastructure, protecting from threats both within and without, and the physical as well as the software. Neglecting any of these aspects of your IT operations can quickly become a career-limiting event.