Andrea Danti - Fotolia
Any enterprise-class storage platform must include powerful security and resilience features. VMware vSAN 6.6.0...
and 6.6.1 address both concerns and can secure VMware environments with numerous features.
In order to secure VMware environments, vSAN includes native encryption that protects data stores at rest through the use of Advanced Encryption Standard 256 ciphers. VSAN enables and configures encryption on the data store level, so everything in a vSAN data store is encrypted when you invoke the feature. Data is encrypted during write operations to drives used for cache or regular storage. Organizations often use encryption to emphasize data security or satisfy regulations.
Encryption is also compatible with other vSAN features, including deduplication, compression, erasure coding and stretched cluster operation, and related vSphere features, such as High Availability, vMotion, Distributed Resource Scheduler and Replication. VSAN encryption is hardware-agnostic and allows deployment on any host hardware that uses solid-state drive (SSD) or hard disk drive devices. You do not need self-encrypting drives to employ encryption.
Encryption requires a key management server, but organizations can employ many available Key Management Interoperability Protocol-compliant KMS vendors, including HyTrust, Vormetric and others.
Multifactor authentication (MFA) improves the ability of the vSAN platform to secure VMware environments by introducing additional physical elements to the authentication process beyond a user's typical credentials. VSAN is essentially part of the vSphere hypervisor and shares support for major MFA methods, including RSA SecurID and Common Access Card.
Clusters can protect against the failure of one or more host servers but do not guard against the loss of an entire site. VMware first implemented the concept of stretched clusters in vSAN 6.0 to mirror data between site clusters, which effectively provides local and geographically separate site resilience. Local workloads can choose from RAID 1 mirroring, RAID 5 distributed parity erasure coding or RAID 6 dual parity erasure coding.
Stretched clusters are configured and managed via storage policies in vSphere, which allow the administrator to implement protection per VM and change policies on the fly. This approach minimizes traffic between sites that might otherwise occur when a failed component needs to be synchronized or rebuilt. VSAN 6.6 storage policies also allow for site affinity, which enables the administrator to locate VMs that aren't replicated by stretched clusters to a preferred site. This is a handy feature when the VM workload is protected by other -- usually internal or native -- replication mechanisms, such as Active Directory.
Degraded device handling
Computing devices -- such as server memory modules, magnetic drives and SSDs, as well as many other subsystems -- produce an array of errors that are detected and logged. Those errors, as well as departures from typical performance characteristics, allow vSAN to detect, report and even proactively address potentially impending storage failures. VSAN assesses the data on a suspect device, and if copies of that data are available elsewhere, vSAN waits before taking action. If copies of that data are not available elsewhere, vSAN will immediately work to move and rebuild the data on other storage devices. Such proactive detection and correction can help reduce risk, mitigate data loss and limit rebuild downtime. If rebuild or resynchronization activity affect cluster performance, vSAN 6.6 allows the administrator to adjust the throughput of rebuild operations to mitigate the performance hit.
Examine best practices for vSphere security
Use ESXi secure boot to boost security
VMware storage policies can improve vSAN cluster redundancy
Dig Deeper on Securing a VMware environment
Related Q&A from Stephen J. Bigelow
Containers have rapidly come into focus as a popular option for deploying applications, but they have limitations and are fundamentally different ... Continue Reading
ALM and SDLC both cover much of the same ground, such as development, testing and deployment. Where these lifecycle concepts differ is the scope of ... Continue Reading
Eliciting performance requirements from business end users necessitates a clearly defined scope and the right set of questions. Expert Mary Gorman ... Continue Reading