Issue link: https://insights.oneneck.com/i/1450344
48 Next-Generation Hyperconverged Infrastructure For Dummies, Nutanix Special Edition In this chapter, you learn about the security and compliance capa- bilities of next-generation hyperconverged infrastructure (HCI). Implementing Data at Rest Encryption Data at rest encryption is an important layer in a defense-in- depth strategy to prevent data from being stolen for financial benefit or gaining system access in the event of unauthorized access to data. It provides an additional countermeasure and necessary layer of protection for data stored on disk. Data at rest encryption is also required for compliance with many data pro- tection regulations. Data at rest encryption offers several key security protections including: » Preventing an attacker from simply exfiltrating unprotected data after breaching a network » Ensuring that data is protected if an attacker attempts to copy the data to another system » Protecting data in the event of physical drive thefts » Ensuring that data isn't accessible if it inadvertently leaves the datacenter on failed or replaced drives Intel cryptographic instructions combined with the Nutanix next-generation HCI architecture (data locality) and the point in the data path where the data is encrypted makes the Nutanix Federal Information Processing Standards (FIPS) 140-2 validated software-based encryption implementation efficient with no material performance impact. Thus, the only reason to choose self-encrypting drives is if hardware-based tamper detection is required. Nutanix implements a data security configuration that uses Acropolis Operating System (AOS) functionality along with the next-generation HCI cluster's local or external key manage- ment server (KMS). A symmetric data encryption key (DEK) such as Advanced Encryption Standard (AES) 256 is applied to all data being written to or read from the disk. The key is known only to AOS, so there is no way to access the data directly from the drive. In the case of an external KMS, each node maintains a set of cer- tificates and keys in order to establish a secure connection with the KMS. Nutanix uses open, Key Management Interoperability Protocol (KMIP) standards for interoperability and strong security. These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.