SCMA Nutanix Security Framework | 100% Secure

Nutanix Security HyperHCI Tech-Security Blog HyperHCI.com

In today’s rapidly evolving technological landscape, where complex systems and emerging security threats pose significant challenges, manually validating and ensuring the integrity of security configurations and parameters has become increasingly difficult.

To address this, the Nutanix engineering team developed an automated framework designed to consistently monitor, check, and validate security configurations and parameters across the entire infrastructure.

This framework operates on a customizable schedule, tailored to meet customer-specific security needs, with options for hourly, daily, weekly, or monthly scans, ensuring continuous and proactive security posture management.

Nutanix Security framework Introduction

The Nutanix Security Configuration Management Automation (SCMA) framework is built on the RHEL Security Technical Implementation Guides (STIGs) and leverages machine-readable code to automate compliance with stringent security standards.

By utilizing SCMA, Nutanix enables the continuous and rapid assessment and remediation of security configurations, ensuring adherence to critical regulatory requirements such as NIST 800-53 and US DOD-DISA.

This process analyzes and self-corrects over 1,700 security entities across the storage, Nutanix CVM, and Nutanix hypervisor (AHV) layers, automatically reporting any log inconsistencies and reverting them to the established baseline to maintain optimal security compliance.

Nutanix has standardized the security profile of the Controller VM to a security compliance baseline that meets or exceeds the standard high-governance requirements.

How Nutanix SCMA framework Scan works

The Nutanix SCMA (Storage Cluster Management Agent) Framework Scan is a process that performs a health check of your Nutanix cluster’s SCV (Storage Cluster Virtual Machine) environment. The scan helps identify configuration issues, performance problems, and potential security concerns in your Nutanix infrastructure.

Step 1: Initiating the Scan (Triggering Phase)

  • Nutanix SCAMA schedule scans to run automatically at regular intervals to ensure continuous health monitoring of your cluster.
  • The SCMA framework scan can be initiated manually via the command-line interface (nCLI).

Step 2: SCMA Framework Scan Initialization (Preparation phase)

Step 3: Scan Execution (System Health Check)

The SCMA framework checks key metrics and system states:

  • SCVM Status: Verifies that all SCVMs are operational, running the correct software version, and are properly configured.
  • Storage Configuration: Checks the health of storage pools, volumes, and disks.
  • Data Resiliency: Verifies redundancy configurations (e.g., replication) and checks if data is sufficiently protected.
  • Security Settings: Scans for any security vulnerabilities or misconfigurations

Step 4: Report Generation (Result Phase)

  • After scan, Nutanix SCMA generates a detailed report on the Nutanix Cluster security posture/environment.
  • The report categorizes issues into severity levels (e.g., Critical, Warning, Information) and provides a summary of findings.
  • Common results in the report may include: Configuration discrepancies (incorrect settings or outdated configurations).

Step 5: Remediation – Fix Security parameters deviations (Final step)

Actions and Recommendations:
For each detected issue, SCMA automatically fix it as per predefined security standards like (NIST 800.53) and US DOD-DISA.

How to Enable and configure Nutanix SCMA Scan

To enable and configure the Nutanix Security Configuration Management Automation (SCMA) scan, follow these steps:

1. Check the SCVM Cluster-Wide Configuration of the SCMA Policy

To view the current SCMA security configuration on the cluster, run the following command on the Controller VM (CVM):

CVM$ ncli cluster get-hypervisor-security-config

2. Change the Default Schedule for SCMA Scan

The SCMA framework can be configured to run on a fixed schedule. You can modify the schedule to fit your needs, with options such as hourly, daily, weekly, or monthly. To change the schedule, use the following command:

CVM$ ncli cluster edit-hypervisor-security-params schedule=hourly

Replace hourly with any of the following options depending on your requirements:

  • hourly
  • daily
  • weekly
  • monthly

Recommendation for Scheduling Based on Network Exposure

  • If the Nutanix Cluster is Public-Facing (Has Internet Access): Set the SCMA scan schedule to “HOURLY”. This ensures more frequent checks against emerging threats from the internet.
  • If the Nutanix Cluster is in a Dark-Site/Isolated Network (No Internet Access): Configure the scan to run “DAILY”. In isolated environments, the likelihood of external threats is significantly reduced, so less frequent scans are typically sufficient.

I hope, now you have got idea about Nutanix security framework and how it works to protect Nutanix platform and your data.!

Keep learning with HyperHCI Tech-Security Blog.

Top