Security is a major pillar of the XCP design. The use of innovative automation results in perhaps the most hardened, simple and comprehensive virtualization infrastructure in the industry.
AHV is not designed to work with a comprehensive HCL of hardware vendors, nor does it have countless bolt-on style products which need to be catered for. Instead Acropolis hypervisor has been optimized to work with the Nutanix Distributed Storage Fabric and approved appliances from Nutanix and OEM partners to provide all services/functionality in a truly Web scale manner.
This allows for much tighter and targeted quality assurance and dramatically reduces the attack surface compared to hypervisors.
The Security Development Lifecycle (SecDL) is leveraged across the entire Acropolis platform ensuring every line of code is production ready. This design follows a defense-in-depth model that removes all unnecessary services for libvirt/QEMU (SPICE, unused drivers), leverages libvirt non-root group sockets for principle of least privilege, SELinux confined guests for vmescape protection, and an embedded intrusion detection system.
Acropolis hypervisor has a documented and supported security baseline (XCCDF STIG), and introduces the self-remediating hypervisor. On a customer defined interval, the hypervisor is scanned for any changes to the supported security baseline, and resets the baseline back to the secure state if any anomaly is detected in the background with no user intervention.
The Acropolis platform also boats a comprehensive list of security certifications/validations:
Summary
Acropolis provides numerous security advantages including:
- In-Built and self auditing Security Technical Implementation Guides (STIGs)
- Hardened hypervisor out of the box without the requirement for administrators to apply hardening recommendations
- Reduced attack surface compared to other supported hypervisors
For more information on Nutanix security see:
