Converged architecture systems integrate a substantial amount of existing infrastructure, so security of CA is of utmost importance. When designing the administration model for converged architecture systems, you need to ensure that all elements are as locked down as possible.
One important area to consider is systems administration. The people performing administrative tasks need to be limited in what they can and cannot do. They should be able to perform only the administrative tasks related to their roles. Global administrator accounts—which allow the performance of any administrative task on a system—are a definite no-no.
One of the principles of secure systems administration is role-based access control (RBAC). The idea behind RBAC is that you grant the ability to perform specific tasks, such as starting or stopping a virtual machine, but that you can limit that ability to a specific scope.
For example, on a converged architecture system that hosts virtual machines, you’d limit the ability to start and stop virtual machines to specific virtual machines. Given that a converged architecture system can host as many as 9,000 VMs, each administrator would likely be responsible for a fraction of that number. In this case, it makes sense to configure the administration model so that each admin can start and stop the VMs for which he or she is directly responsible.
One of the other strategies that you can use is a jump server in combination with privileged access management workstations. In this model, you configure the converged architecture system so that it accepts administrative connections--such as Remote Desktop, SSH or PowerShell—only from the jump server. You then configure the jump server to accept connections only from specially secured administrator workstations. These workstations are locked down so that the person using them can’t access tools other than the ones used to perform administrative tasks. For example, they would be blocked from browsing the Web or receiving email, as both are vectors for software that could be used to capture credentials.
By implementing a combination of RBAC, privileged access management workstations and jump servers, you can help to ensure that only authorized personnel can connect to the converged architecture system to perform administrative tasks--and that the tasks they can perform will be limited by the assigned administrative role.
Underwritten by HPE
Part of HPE’s Power of One strategy, HPE Converged Architecture 700 delivers infrastructure as one integrated stack. HPE Converged Architecture 700 delivers proven, repeatable building blocks of infrastructure maintained by one management platform (HPE OneView), built and delivered exclusively by qualified HPE Channel Partners. This methodology saves considerable time and resources, compared to the do-it-yourself (DIY) approach.
Based on a complete HPE stack consisting of HP BladeSystem with Intel® Xeon® E5 v3-based HPE ProLiant BL460c Gen9 blades, HPE 3PAR StoreServ all-flash storage, HPE Networking, and HPE OneView infrastructure management software, the HPE Converged Architecture 700 can be easily modified to fit within your existing IT environment.