Sign in to my dashboard Create an account
Menu

FlexPod: A secure foundation for every workload

flyover built on water body
Contents

Share this page

Reese Lloyd
Reese Lloyd
55 views

As you delve into the realm of cybersecurity, you quickly realize that it is vast, deep, and full of pitfalls and hungry adversaries. It’s hard to know where to start, but you must take that first step. With FlexPod® as an infrastructure solution, NetApp and Cisco have highlighted those first steps, guiding you on a path to security you can count on. And, more importantly, a secure infrastructure that you can use as the foundation for all your workloads.

Secure by design

Both NetApp and Cisco take security seriously at all stages, including product design, hardware implementation, and software development. Both organizations are committed to security by design from the very beginning to offer the most robust security for every one of their products.

NetApp employs an in-depth Secure Development Lifecycle (SDL) process that builds on training internal teams. The process operates from a product security baseline to build in security from day 0, source code analysis and scanning, and vulnerability and third-party software scanning. With this SDL process, NetApp® products have built-in security from the beginning so that they ship secure. In production, the security of NetApp products is bolstered with top-tier patch management and vulnerability handling processes so that they stay secure for their lifetime. Read all about NetApp’s commitment to security and more at the NetApp Trust Center.

Cisco also embraces a Secure Development Lifecycle process and complements development with protections for their products at every stage in the product lifecycle through their Value Chain Security. These processes enable Cisco to design, build, ship, and support products with security built in and maintained throughout the product’s life. For details and links to more information, check out Cisco’s Trustworthy Solutions.

flexpod diagram

To further commit to their SDL mission, both NetApp and Cisco have recently signed the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure By Design pledge. CISA works with enterprises to implement, build on, and complement existing industry security best practices, including those developed by CISA and NIST.

Certification

As the saying goes, “Trust but verify,” and with security you might not even want to trust. Trust or not, verification is crucial to backing up the claims made about product security. NetApp and Cisco are committed to building in security from inception, and also to certifying that security, so you know exactly what each product offers from a security standpoint. Many of these certifications are required to do business with government agencies worldwide, and they also offer a method of comparing security for all products.

San Optimized FlexPod

Here’s a quick introduction to common certifications.

FIPS 140-2/140-3. The Federal Information Processing Standard (FIPS) 140 family of certifications define and validate cryptographic modules. Note: FIPS 140-2 is being phased out and is being replaced by FIPS 140-3.

The Common Criteria. An international standard for evaluating and validating the security features and capabilities of products.

ISO 27001. An international standard that gives guidance on how to establish, implement, maintain, and improve information security management systems.

US DoDIN APL. U.S. Department of Defense Information Network Approved Product List (DoDIN APL) provides purchasing guidance for DoD organizations looking to purchase equipment for use on the Defense Information Systems Network.

CSfC. Commercial Systems for Classified is a program run by the U.S. National Security Agency (NSA) that provides a framework and guidelines for configuring and deploying layered security solutions using commercial off the shelf (COTS) components.

That’s a ton of acronyms to remember, but the good news is that both NetApp and Cisco collect their certifications centrally for quick reference.

NetApp Compliance Offerings

Cisco Global Government Certifications

FlexPod security

What does all of this mean for the security of FlexPod as an infrastructure solution? FlexPod was launched 13 years ago, built on the secure foundations of NetApp and Cisco. Following that tradition, FlexPod remains focused on full-stack security.

flexpod diagram

Read more about FlexPod security solutions in these documents.

  • FlexPod: Where the sum is greater than its parts.
  • FlexPod Datacenter Zero Trust Framework. The FlexPod Zero Trust Framework Cisco Validated Design (CVD) is a holistic security approach that integrates Zero Trust architecture guidelines for the full stack, including VMware vSphere, Cisco UCS, Cisco Nexus/MDS, and NetApp ONTAP® storage. This approach helps organizations to enhance their security posture, whether they’re deploying new systems or bolstering existing ones, by following a set of detailed security recommendations that span network segmentation, access controls, and data protection. All of the required configuration to deploy the FlexPod Zero Trust Framework can be automated by using Ansible to deploy rapidly, securely, and easily.
  • FlexPod Security Hardening Guide (TR 4984-1123). This guide is a critical baseline resource for securing a FlexPod infrastructure. It offers a collection of industry-vetted, lab-tested best practices and security measures that cover a wide array of protective strategies. These strategies include disabling unused services, configuration backups, compliance with FIPS 140 standards, UEFI secure boot, remote logging, robust authentication, and much more. This guide is essential for organizations that are looking to configure their FlexPod solutions to meet stringent security requirements.
  • FlexPod ransomware protection & recovery (TR 4961). The FlexPod approach to ransomware protection is twofold: proactive defense and effective recovery. NetApp ONTAP storage systems come equipped with built-in machine-learning-driven ransomware protection to defend your workloads. This technical report offers best practices for monitoring ONTAP systems and describes detailed recovery procedures for storage volumes and workloads. This information helps organizations prepare to respond and recover swiftly in the event of a ransomware incident. For additional peace of mind, FlexPod systems deployed following this guidance are backed by the NetApp Ransomware Recovery Guarantee.
  • FIPS 140-2 security-compliant FlexPod solution for healthcare (TR 4892). FIPS 140-2 began as a U.S. government standard for certifying and validating encryption implementations. It has expanded to become the de facto industry standard and is now required by other standards. For example, the Health Information Technology for Economic and Clinical Health Act (HITECH) requires FIPS 140-2-validated encryption of electronic Protected Health Information (ePHI). This technical report describes how to configure your FlexPod system to leverage the built-in FIPS 140-2 certified components in a healthcare environment. It is also broadly applicable to any environment that can benefit from running in a FIPS 140-2 compliant mode.

Solutions for workload security

FlexPod workload solutions run the gamut from virtualization to databases, AI to healthcare, containers to enterprise applications, and beyond. But no matter the workload you’re running on your FlexPod solution, you can count on security being built in from the moment the product was developed and years into the future. FlexPod workload solutions are designed to layer directly on top of the security features, certifications, solutions, and hardening practices discussed in this blog post. The singular goal of these solutions is to give every customer peace of mind that their environment is secure from the foundation up.

For more information

Solution briefs from NetApp and Cisco

Consolidated links

Further reading

Reese Lloyd

Reese Lloyd is a NetApp product manager focused on FlexPod solutions. He brings a broad base of experience with storage and infrastructure systems, service providers, FedGov, security, and enterprise operations. Before NetApp, Reese held product management, technical delivery, and management positions in the areas of storage and networking focused on architecture, engineering, and operations.

View all Posts by Reese Lloyd

Next Steps

Drift chat loading