Xi Frame Data Residency¶
Nutanix Xi Frame, a cloud-based Platform as a Service (PaaS), enables customers to deliver virtualized applications and desktops hosted in either public and/or private clouds to end users. End users only need an HTML5 browser on a connected device. Nutanix operates and maintains the Xi Frame Platform which provides customers with automated cloud resource orchestration, user session brokering, and environment administration.
With a distributed system such as Xi Frame, customers must understand how their data, particularly customer data and personal information is collected, processed, transmitted, stored, and safeguarded. Data residency defines the physical location(s) of an organization’s data, usually for regulatory reasons.
This document outlines what Xi Frame customer data and personal information is generated, collected, and transmitted. This document also describes where data is generated and stored and the data safeguarding measures Nutanix and customers must implement to ensure the data is secured.
What Data is Stored Where?¶
The figure below is a visual representation of the different domains where data is accessed and transmitted during a Frame session.
This section defines the data generated, received, transmitted, and/or stored on the end user’s device.
Authentication Token: A security token, generated by the Frame identity service, granted to a user once the user is authenticated based on the validity of the SAML2 or OAuth2 assertion. The security token is valid up to the Authentication token expiration value configured in the Frame SAML2 authentication provider configuration. If the user is inactive for the configured amount of time, Nutanix Console will logout the user. If the user is active within the console (e.g., clicks on hyperlinks, moves the mouse/cursor, scrolls, or presses keys), the token will be renewed just before the user token expires. If the user is in a Frame session, the token is automatically renewed so the user is not disconnected while in session. For customers using SAML2 identity providers, roles (authorization) assigned to the user are based on the SAML claims that are provided by the customer’s identity provider.
Session Token: A remoting session security token, specific for that Frame session, generated by Frame Platform, and provided to the user’s browser, after an authenticated and authorized user has started a session. The session token is presented by the user browser to Frame Platform, Streaming Gateway Appliance (if deployed as a reverse proxy server), and the assigned workload VM. The protected resources validate the session token before the user is able to gain access. The session token can only be used with the assigned workload VM and is valid up to the max session duration time configured within the Dashboard.
Session Stream: Session Stream is the video stream of the display(s) and audio, encoded in Frame Remoting Protocol, an H.264-based video stream, sent from the workload virtual machine (VM) to the user’s browser. Any keyboard/mouse events and input audio (if microphone is enabled) is sent from the user to the workload VM. The Frame Remoting Protocol uses Secure WebSocket (tcp/443, TLS) to communicate between end user and workload VM.
Session Metadata: Session metadata refers to the generation of details in the end user’s device that are collected by Frame Platform when various operations are performed during a Frame session. The data can be used to identify users, session start times and durations, instance type used, session type (desktop or published applications), published applications used, as well as other operational details. Below are the data inputs that represent the session metadata:
User device and workload VM IP addresses: Identifies the Internet Protocol (IP) address of the user’s device and the workload VMs accessed by the user during a Frame session. Both IP addresses may be private (private networking) or public.
User identifier: This description identifies the user in the session. This identifier is in the form of an email address. Depending on the customer, this user identifier may be an actual or fictitious email address, provided by the customer’s identity provider or Frame Secure Anonymous Token feature.
Session ID: The numeric identifier of a specific virtual Frame session.
Session Type: Desktop or Application
Published application launched: This describes the application(s) in-use by the user.
Clipboard: End users have the ability to copy and paste bidirectionally between the user’s device and the workload VM or unidirectionally, if the administrator enables the feature in Session Settings for a Frame Account.
Upload/Download: End users have the ability to upload and/or download files between the user’s device and the workload VM, if the administrator enables the feature in Session Settings for a Frame Account.
Printer: End users have the ability to print on printers locally accessed by the user’s device, if the administrator enables the feature in Session Settings for a Frame Account.
Microphone: The workload VM can access the user’s browser, if the administrator enables the feature in Session Settings for a Frame Account.
Frame Platform Data¶
For all Xi Frame (Commercial) deployments, both US domestic and international, Frame Platform data is stored in the AWS US East region. For Xi Government Cloud (FedRAMP), Frame Platform data is stored in AWS GovCloud (US West 1).
In addition to the data types transmitted to/from the end user described in the above section, the following data is received, transmitted, generated, and/or stored by Frame Platform as part of the service.
User identity and attributes: Depending on the customer’s choice of identity provider and what personal information the identity provider passes to Frame Platform, Frame Platform will store user identity and attributes for authorization and activity logging, Common parameters provided as part of any user authentication event are:
First name and last name
Some customers can choose to anonymize user identities during user authentication events by providing fictitious first name, last name, and email addresses to Frame Platform. However, that may result in anonymous activity logs or require customers to correlate Frame activity logs with their own system logs.
System Configuration: Frame Platform also stores system configurations for each customer in order for customers to be able to customize their environments and user session behavior. These configuration options include:
Role-based access control (RBAC) settings: Allows the customer to grant access to features and functionality based on the user’s role within Frame Platform once the user has authenticated to Frame via a customer-selected identity provider.
Application launch parameters: Configures how the session will behave when users launch a desktop or application from a Launchpad.
Session settings: Enables cloud storage integrations, user features, session timeout policies, and Quality of Service settings at the account level or on specific Launchpads.
Cloud/data center configurations: Determines the public cloud regions or Nutanix AHV clusters that will be used to provision Frame accounts.
Cloud Credentials: Holds the information required for interacting with the public IaaS API gateways. For AWS, it is an IAM role created by the customer using a Nutanix-supplied Cloud Formation template. In the case of Azure, it is an Azure Active Directory app registration. For Google, it is a Google Project ID.
Onboarded Application Information: Stores information about the onboarded applications (i.e., published applications). Specifically, the application icon, application executable path, working directory, and command line arguments.
Workload VM Data¶
This section defines the data generated, received, transmitted, and/or stored in the Workload VMs.
Session Token: described in the prior section
Session Stream: described in the prior section
Session Metadata: described in the prior section
Session Telemetry: Session telemetry refers to the measurement of session characteristics between the end user’s browser and the Frame workload VM (e.g., bandwidth, latency) and the reporting of workload VM performance metrics (e.g., CPU, memory). This data is collected by Frame Platform and used to evaluate session performance and quality of the experience for the user. The two key metrics are:
Bandwidth: Refers to the real-time data transmission capacity of the network between the user and the workload VM. When a user is in a Frame session, the real-time bandwidth is displayed on the left of the Frame status bar. 5 indicator dots next to the Frame gear menu icon give a visual representation of the user’s current bandwidth measurement:
Red dots: 1 to 2 Mbps
Yellow dots: 2 to 4 Mbps
Green dots: 4 to 8+ Mbps
Latency: Refers to the delay before a transfer of data begins following an instruction for its transfer. This is the time it takes for a single packet of data to go from the user’s browser to the workload VM and back.
Clipboard: described in the prior section
Upload/Download: described in the prior section
Data Processing: All applications installed by the customer or its users execute on the workload VMs. The customer has the option of offloading the processing of data to other compute infrastructure (e.g., rendering engines, machine learning servers, application servers) controlled, managed, and/or selected by the customer.
Storage Mounts/Data: Any data generated by these applications remains within the workload VM until the user saves the data in persistent storage (profile disk, personal drive, file server, cloud storage). The customer determines what persistent storage options the end user may use (and where the persistent storage is located).
Sandbox Configuration (template image): Each Frame account has one Sandbox, a VM that manages the master image for the account. Customer administrators use the Sandbox to install and update their applications and manage the operating system. When the administrator publishes the Sandbox, a snapshot of the Sandbox image is backed up and cloned to create the production VMs of the Frame account. The Sandbox VM is persistent. Any applications or files stored in the Sandbox image will be included in the production VM images.
User Profiles: For non-persistent Frame accounts, customer administrators can enable the Frame profile disk feature in order for user application profiles and user folders (e.g., Documents, Desktop, Downloads, etc.) to be redirected to user profile disks. This profile disk is mounted when a user enters a Frame session and unmounted when a user closes their Frame session. User profile disks are stored as part of the Frame account. The user can backup and restore their own user profile disk.
Personal Drives: Customer administrators can configure a Frame account to provision and manage a personal drive for each user. User personal drives are stored as part of the Frame account. The user can backup and restore personal drives.
Cloud services is a shared-responsibility model. Nutanix and customers each have a shared responsibility to ensure the data is protected. Nutanix is responsible for the security of Frame Platform. Customers are responsible for the security of the users’ endpoints, their infrastructure they bring to Xi Frame, including the workload VMs, and any use of application and storage services they provide to their users.
In general, Xi Frame stores all data at rest in an encrypted form. This includes data stored within Frame Platform and all data stored in the workload VM disks, profile disks, and personal drives. Frame Platform relies on the underlying infrastructure’s storage encryption capabilities, including the safeguarding of the storage encryption/decryption keys.
All communications between the system components are encrypted using TLS 1.2 (HTTPS and Secure WebSocket).
Nutanix recommends customers integrate an enterprise SAML2 or OAuth2 identity provider with their Frame customer entity to ensure secure authentication of their users. With an enterprise identity provider, customers can leverage the identity provider’s multi-factor authentication capabilities. Authorization
Nutanix provides customers who integrate an enterprise SAML2 or OAuth2 identity provider with their Frame customer entity the ability to define authorization rules. All users who access Frame using the customer’s SAML2 identity provider are then authorized to access protected resources based on these authorization rules.
Xi Frame Compliance¶
Nutanix maintains a set of global certifications for Xi Frame, including SOC 2 Type 1, SOC 2 Type 2, SOC 3 and ISO 27001/27017/27018. Details can be found at https://www.nutanix.com/trust/compliance-and-certifications.
For customers needing to operate under FedRAMP or ITAR compliance regimes, Xi Government Cloud has achieved FedRAMP Authorized status at a Moderate security impact level (IL-2). Customers must bring their own infrastructure to use Xi Government Cloud.