HCI systems carry benefits and drawbacks from a security perspective. IT pros can’t ignore the factors impacting HCI security when they’re choosing a product.
Hyperconverged infrastructure (HCI) has been increasingly adopted in enterprise data centers. This is something we’ve seen in our interactions with IT clients and have confirmed by survey results this past year, and, in fact, every year we’ve conducted it. Enterprise IT organizations have certain expectations of infrastructure products they use.
As HCI crosses the threshold into the enterprise and mainstream data centers, it needs to meet the expectations of enterprise IT organizations. One of those areas is security.
“Enterprise” infrastructure products have “enterprise” feature sets – and that includes integration or compatibility with the security protocols and platforms that these organizations currently rely on.
In some ways, HCI can intrinsically provide a more secure environment than traditional infrastructure (servers and storage systems) based on its footprint but may present a less secure environment, based on operational characteristics and architecture. Physical consolidation can improve security because, as a large university IT director put it, “you don’t have a server under someone’s desk.” It can also consolidate management of the infrastructure, which includes the application and monitoring of security measures, improving overall effectiveness.
On the operational side, most enterprises have role-based access control (RBAC), in which people are given access only to the systems they actually use. In traditional environments, this meant different admin roles for servers, storage, networking, etc. With HCIs, these roles are often assumed by the same person, giving them access to everything, creating a single point of vulnerability and “putting a lot of trust in one person,” according to the data center manager of a large federal installation. “HCI management tools are often not up to DoD standards, not locked down, as DoD likes,” so they’re not used, he said. This can create more silos and make HCI management less efficient.
One area of security that’s rooted in storage infrastructure – one that HCIs have offered for several years – is data encryption. Encryption can be done at the drive level or in software running on the software-defined storage layer. Self-encrypting drives are easier to implement and do a good job of protecting data at rest. Most HCI vendors include self-encrypting drives at least as an option. Software encryption protects data that’s in flight, between the HCI and cloud or between locations or clusters. Many HCI vendors (about half of the 17 covered in the Evaluator Group HCI Comparison Matrix) offer software-based encryption.
A much newer technology that HCI vendors are starting to talk about is microsegmentation, a process that ties security policies to applications and workloads through the networking layer. This enables transactions between components or entities on the network to be scrutinized and only appropriate communication allowed. Microsegmentation aims to control “east/west” traffic within the network, stopping an intruder from moving between systems even after they have gotten through the perimeter. VMware provides microsegmentation, as do Nutanix AHV and Microsoft Windows Server.
IT professionals need to look closely at the security capabilities of the HCI products they’re considering, including management tools, and make sure they’re not creating more security vulnerabilities by adding an HCI cluster. Encryption is a given and should include both self-encrypting drives and software encryption for maximum protection. While new to many IT folks, microsegmentation is well suited to the software-defined nature of HCIs and will play an important part in HCI security moving forward.