Sign in to my dashboard Create an account

Where the sum is greater than its parts

FlexPod offers the best reference architectures for datacenter security

cabin house in front of lake

Share this page

Dr. Nikhil Joshi

Converged infrastructure is an excellent example for the phrase “The whole is greater than the sum of its parts,” which is often attributed to Aristotle.  

One sense in which this phrase stands true is for a data center customer who depends on a converged infrastructure, such as the FlexPod® platform. That customer’s data center achieves a high level of reliability, security, availability, productivity, usability, and long-term affordability. In contrast, a customer who builds a data center by merely throwing in some JBODs (just a bunch of disks), commodity servers, and commodity switches can only hope that the components work in unison. It’s prudent for data center customers to invest in a validated architecture so that they can rest easy knowing that their data center will deliver on their expectations. 

But complexity is the second and equally important sense in which the phrase stands true. The complexity in deploying a data center is far more than the sum of the complexities involved in deploying its constituent components, unless it’s deployed as a validated, converged infrastructure. And just as FlexPod provides comprehensive benefits, its features combine to reduce the complexity of implementing and securely managing your data center. 

Data center security: The most important consideration

Of all the attributes that you can expect from your data center, security seems to have become the most crucial feature. 

Security threats against data centers have grown exponentially in recent years. Harvard Business Review reported in 2023 that despite spending $150 billion on cybersecurity in 2021, organizations around the world faced a total of 4,100 publicly disclosed data breaches in 2022. That means, the organizations had to spend 12.4% more in 2022, but could reduce the breaches only by 5% compared with 2021. Forbes reported last year that for the future, the focus should be on the cyberattack surface and vectors to figure out how to mitigate threats and to enhance resilience and recovery. And according to a 2023 Deloitte Center for Controllership poll, about half (48.8%) of C-suite and other executives expected cyberattacks on their organizations’ accounting and financial data to increase in number and size over the year. 

Security incidents pose challenges for your data center executives, such as: 

  • Cost. According to Statista, “As of 2023, the average cost of a data breach in the United States amounted to 9.48 million U.S. dollars, up from 9.44 million U.S. dollars in the previous year. The global average cost per data breach was 4.45 million U.S. dollars in 2023.” 
  • An unending game of cat and mouse. Data center security is not a onetime task. Your data center needs to stay abreast of the latest security strategies, because the malicious agents always try to adapt to the existent security features. 
  • Lack of expertise. Staffing shortages have affected data centers too. Unless a data center is designed to be easy to secure, it’s hard to find IT security experts to handle the ever-growing complexity of a secure data center configuration. Cybersecurity teams are known to be overstretched, increasingly prone to burnout, and understaffed
  • Trade-off between security and functionality, performance, and usability. Each door that you close for the bad actors can also make it hard for your team to do their job. An excessively secured data center can result in lower functionality, performance, and usability than what your expectations are. You have to let the experts maintain the fine balance by turning only the necessary knobs. 

Therefore, keeping a data center secure is a tightrope walk. 

FlexPod stands up to expectations… as always

Security is a use case in which FlexPod particularly outshines its competitors. The previously published Technical Report 4961, FlexPod ransomware protection and recovery with NetApp Cloud Insights and SnapCenter, demonstrates in depth how FlexPod gives you a comprehensive defense against ransomware. It also showcases how, with FlexPod, you get a cloud-based solution for end-to-end disaster recovery and business continuity, with a significantly shorter recovery time objective (RTO) after a ransomware event. And it describes how FlexPod enables you to automate app-consistent backup and recovery of VMs or stateful restarting of your mission-critical application pools after downtime. You simply use the NetApp® SnapCenter® Plug-In for VMWare vSphere, Oracle Database, SAP HANA Database, Microsoft SQL Server, Microsoft Exchange Server, UNIX, or Microsoft Windows. 

Later, with Technical Report 4984 for FlexPod security hardening, FlexPod became the only converged infrastructure to date to publish a full-stack validated security hardening guide. TR 4984 combines security-hardening best practices for the individual components of the FlexPod architecture. By using this one-stop-shop security-hardening guide for the FlexPod solution, you gain value by greatly reducing risk across your data center. This full-stack hardening guide for FlexPod includes mutually compatible security policies for individual components, helping your organization strike an optimal balance between interoperability, performance, security, usability, and functionality.  

And now we have recently published Cisco Validated Design (CVD) guide about the Zero Trust framework for FlexPod. The Zero Trust architecture (ZTA) is an evolving set of cybersecurity paradigms promoted by organizations such as the National Institute of Standards and Technology (NIST). ZTA shifts IT security from static, network-based perimeters to focus on users, assets, and resources.  

Zero Trust Architecture

ZTA assumes no implicit trust granted to assets or user accounts based solely on their physical or network location. In ZTA, authentication and authorization of users and devices are need based, per session, and time-bound. It requires enterprises to continually analyze and evaluate the risks to their assets and business functions and then enact protections to mitigate those risks. It also requires enterprises to have visibility into the assets that are active on the network (or those accessing resources remotely) to categorize, to configure, and to monitor the network’s activity. ZTA tenets treat all data sources and computing services as resources. The following is a summary of a Zero Trust strategy:

Flexpod trust, segmentation, security platform. visibility and evaluation process

The Cybersecurity and Infrastructure Security Agency (CISA) has described a detailed Zero Trust Maturity Model (ZTMM) for legacy systems to implement ZTA. It recommends gradual implementation of ZTMM across five pillars of an IT enterprise: identity, devices, networks, applications and workloads, and data. And it includes three capabilities—visibility and analytics, automation and orchestration, and governance—that span all five pillars. 

How FlexPod simplifies ZTA implementation for datacenter 

Implementing ZTA is a crucial part of IT security, but without expert guidance, it can be cumbersome. In the ZTA CVD, my colleagues Haseeb Niazi and Jyh-shing Chen describe how the FlexPod converged infrastructure is consistent with the Zero Trust attitude, so you don’t have to reinvent the wheel in your data center. The CVD focuses on three (of many) core pillars of the Zero Trust framework: segmentation, visibility, and threat protection. 

FlexPod is the only converged infrastructure solution on the market that has published a validated design to show how its security features fit into the philosophy of Zero Trust security. The following figure shows the FlexPod Zero Trust framework.  

flexpod parts and modules

Source: Cisco Validated Design (CVD) guide about the Zero Trust framework for FlexPod

This CVD encapsulates the previous two security TRs and highlights how FlexPod aligns with ZTA. This CVD describes FlexPod security features such as network isolation, device and protocol hardening, encryption of data-in-flight and data-at-rest, multi-admin verification (MAV), multiple factor authentication (MFA), role-based access control (RBAC), secure multi-tenant segmentation, firewalls, intrusion detection/prevention systems, full-stack visibility and device and network monitoring, reporting, and auditing etc. The CVD also describes how various Cisco and NetApp components such as Cisco UCS Servers, Cisco Intersight, NetApp AFF Storage with NetApp ONTAP and VMware vSphere synergistically secure your data center. It describes how solutions such as NetApp Autonomous Ransomware Protection, NetApp Active IQ Unified Manager, NetApp SnapCenter, Cisco Firewall Threat Defense, Cisco Secure workload, Cisco Secure Network Analytics, and Intel Confidential Computing that can identify, protect against, and mitigate cyber threats.

And there’s more!

We will soon also release a FlexPod solution brief about the data center security landscape for a nontechnical audience. And we will publish a deployment guide with automation scripts to implement the best practices that are laid out in the Zero Trust CVD.  

Start the journey to protecting your data center with FlexPod. Find out more about the validated architectures that FlexPod offers. And stay tuned for announcements about many more solutions for FlexPod. 

Dr. Nikhil Joshi

Dr. Nikhil Joshi is MBBS (degree for physicians in India) and M Tech in Biomedical engineering from Indian Institute of Technology, Bombay, India. Prior to joining NetApp, Nikhil has worked for solution management and development of multiple healthcare applications for over a decade, and observed how healthcare products and the underlying IT infrastructure can influence lives of physicians, clinicians, and non-clinical staff as well as their ability to deliver care to patients. Nikhil is a senior product manager for FlexPod at NetApp, responsible for the FlexPod business for the enterprise applications and healthcare verticals, and for the security and sustainability use cases.

View all Posts by Dr. Nikhil Joshi

Next Steps

Drift chat loading