Nutanix Frame, a cloud-based Platform as a Service (PaaS), enables customers to deliver virtualized applications and desktops hosted in either public and/or private clouds to end users. End users only need an HTML5 browser on a connected device. Nutanix operates and maintains the Frame Platform which provides customers with automated cloud resource orchestration, user session brokering, and environment administration.
With a distributed system such as Frame, customers must understand how their data, particularly customer data and personal information is collected, processed, transmitted, stored, and safeguarded. Data residency defines the physical location(s) of an organization's data, usually for regulatory reasons.
This document outlines what Frame customer data and personal information is generated, collected, and transmitted. This document also describes where data is generated and stored and the data safeguarding measures Nutanix and customers must implement to ensure the data is secured.
What Data is Stored Where?
The figure below is a visual representation of the different domains where data is accessed and transmitted during a Frame session.
This section defines the data generated, received, transmitted, and/or stored on the end user's device.
- Authentication Token: A security token, generated by the Frame identity service, granted to a user once the user is authenticated based on the validity of the SAML2 or OAuth2 assertion. The security token is valid up to the Authentication token expiration value configured in the Frame SAML2 authentication provider configuration. If the user is inactive for the configured amount of time, Nutanix Console will logout the user. If the user is active within the console (e.g., clicks on hyperlinks, moves the mouse/cursor, scrolls, or presses keys), the token will be renewed just before the token expires. If the user is in a Frame session, the token is automatically renewed so the user is not disconnected while in session. For customers using SAML2 identity providers, roles (authorization) assigned to the user are based on the SAML claim(s) that are provided by the customer's identity provider.
- Session Token: A Frame session security token, generated by Frame Platform and provided to the user's browser, after an authenticated and authorized user has started a session. The session token is presented by the user browser to Frame Platform, Streaming Gateway Appliance (if deployed as a reverse proxy server), and the assigned workload VM. The user is only allowed to access the protected resource once the user's session token is validated by the Frame Control Plane. The session token can only be used with the assigned workload VM and is valid up to the max session duration time configured within the Dashboard.
- Session Stream: Session Stream is the video stream of the display(s) and audio, encoded in the Frame Remoting Protocol, an H.264-based video stream, sent from the workload virtual machine (VM) to the user's browser. Any keyboard/mouse events, input audio (if microphone is enabled), and input video (if webcam is enabled) is sent from the user to the workload VM. The Frame Remoting Protocol (FRP) 7 uses Secure WebSocket (tcp/443, TLS) and FRP8 uses WebRTC (udp/3478 or udp/4503-4509, DTLS) to communicate between end user and workload VM.
- Session Metadata: Session metadata refers to the generation of details in the end user's device that are collected by Frame Platform when various operations are performed during a Frame session. The data can be used to identify users, session start times and durations, instance type used, session type (desktop or published applications), published applications used, as well as other operational details. Below are the data inputs that represent the session metadata:
- User device and workload VM IP addresses: Identifies the Internet Protocol (IP) address of the user's device and the workload VMs accessed by the user during a Frame session. Both IP addresses may be private (private networking) or public.
- User identifier: This description identifies the user in the session. This identifier is in the form of an email address. Depending on the customer, this user identifier may be an actual or fictitious email address, provided by the customer's identity provider or Frame Secure Anonymous Token feature.
- Session ID: The numeric identifier of a specific virtual Frame session.
- Session Type: Desktop or Application
- Published application launched: This describes the application(s) in-use by the user.
- Clipboard: End users have the ability to copy and paste bidirectionally between the user's device and the workload VM or unidirectionally, if the administrator enables the feature in Session Settings for a Frame Account.
- Upload/Download: End users have the ability to upload and/or download files between the user's device and the workload VM, if the administrator enables the feature in Session Settings for a Frame Account.
- Printer: End users have the ability to print on printers locally accessed by the user's device, if the administrator enables the feature in Session Settings for a Frame Account.
- Microphone: The end user can send input audio from the microphone on their endpoint to the workload VM, if the administrator enables the feature in Session Settings for a Frame Account.
- Webcam: The end user can send input video from the webcam on their endpoint to the workload VM, if the administrator enables the feature in Session Settings for a Frame Account.
Frame Platform Data
For all Frame (Commercial) deployments, both US domestic and international, Frame Platform data is stored in the AWS US East region. For Government Cloud (FedRAMP), Frame Platform data is stored in AWS GovCloud (US West 1).
In addition to the data types transmitted to/from the end user described in the above section, the following data is received, transmitted, generated, and/or stored by Frame Platform as part of the service.
User identity and attributes: Depending on the customer's choice of identity provider and what personal information the identity provider passes to Frame Platform, Frame Platform will store user identity and attributes for authorization and activity logging, Common parameters provided as part of any user authentication event are:
- First name and last name
- Email address
- Associated groups
Some customers can choose to anonymize user identities during user authentication events by providing fictitious first name, last name, and email addresses to Frame Platform. However, that may result in anonymous activity logs or require customers to correlate Frame activity logs with their own system logs.
System Configuration: Frame Platform also stores system configurations for each customer in order for customers to be able to customize their environments and user session behavior. These configuration options include:
Role-based access control (RBAC) settings: Allows the customer to grant access to features and functionality based on the user's role within Frame Platform once the user has authenticated to Frame via a customer-selected identity provider.
Capacity settings: Provides the customer with the ability to specify the number of virtual machines for a given instance type and the power management schedule of these virtual machines.
Session settings: Enables user features, session timeout policies, and Quality of Service settings at the account level or on specific Launchpads.
Cloud/data center configurations: Determines the public cloud regions or Nutanix AHV clusters that will be used to provision Frame accounts.
Cloud Credentials: Holds the information required for interacting with the public IaaS API gateways. For AWS, it is an IAM role created by the customer using a Nutanix-supplied Cloud Formation template. In the case of Azure, it is an Azure Active Directory app registration. For Google, it is a Google Project ID.
Onboarded Application Information: Stores information about the onboarded applications (i.e., published applications). Specifically, the application icon, application executable path, working directory, and command line arguments.
Windows Events: The Frame Guest Agent will parse and send Windows Event Logs (Application and System) to the Frame Logging endpoint to assist Customer Support and Customer Success with troubleshooting workload issues. This data is retained for 21 days. Customers may opt out by contacting Support if they prefer these Windows Logs to not be collected. By default, the event sources are:
- Windows Logs > Application:
- Application Error
- Windows Error
- User Profile Service
- User Device Registration
- Windows Logs > System:
- Service Control Manager
- Windows Logs > Application:
Workload VM Data
Session Token: described in the prior section
Session Stream: described in the prior section
Session Metadata: described in the prior section
Session Telemetry: Session telemetry refers to the measurement of session characteristics between the end user's browser and the Frame workload VM (e.g., bandwidth, latency) and the reporting of workload VM performance metrics (e.g., CPU, memory). This data is collected by Frame Platform and used to evaluate session performance and quality of the experience for the user. The two key metrics are:
Bandwidth: Refers to the real-time data transmission capacity of the network between the user and the workload VM. When a user is in a Frame session, the real-time bandwidth is displayed on the left of the Frame status bar. 5 indicator dots next to the Frame gear menu icon give a visual representation of the user's current bandwidth measurement:
- Red dots: 1 to 2 Mbps
- Yellow dots: 2 to 4 Mbps
- Green dots: 4 to 8+ Mbps
Latency: Refers to the delay before a transfer of data begins following an instruction for its transfer. This is the time it takes for a single packet of data to go from the user's browser to the workload VM.
Clipboard: described in the prior section
Upload/Download: described in the prior section
Data Processing: All applications installed by the customer or its users execute on the workload VMs. The customer has the option of offloading the processing of data to other compute infrastructure (e.g., rendering engines, machine learning servers, application servers) controlled, managed, and/or selected by the customer.
Storage Mounts/Data: Any data generated by these applications remains within the workload VM until the user saves the data in persistent storage (profile disk, personal drive, file server, cloud storage). The customer determines what persistent storage options the end user may use (and where the persistent storage is located).
Sandbox Configuration (template image): Each Frame account has one Sandbox, a VM that manages the master image for the account. Customer administrators use the Sandbox to install and update their applications and manage the operating system. When the administrator publishes the Sandbox, a snapshot of the Sandbox image is backed up and cloned to create the production VMs of the Frame account. The Sandbox VM is persistent. Any applications or files stored in the Sandbox image will be included in the production VM images.
User Profiles: For non-persistent Frame accounts, customer administrators can enable the Frame Enterprise Profile feature in order for user application profiles and user folders (e.g., Documents, Desktop, Downloads, etc.) to be redirected to user profile disks. This profile disk is mounted when a user enters a Frame session and unmounted when a user closes their Frame session. User profile disks are stored as part of the Frame account. The user can backup and restore their own user profile disk.
Personal Drives: Customer administrators can configure a Frame account to provision and manage a personal drive for each user. User personal drives are stored as part of the Frame account. The user can backup and restore personal drives.
Cloud services is a shared-responsibility model. Nutanix and customers each have a shared responsibility to ensure the data is protected. Nutanix is responsible for the security of Frame Platform. Customers are responsible for the security of the users' endpoints, their infrastructure they bring to Frame, including the workload VMs, and any use of application and storage services they provide to their users.
In general, Frame stores all data at rest in an encrypted form using the underlying infrastructure's storage encryption capabilities, including the safeguarding of the storage encryption/decryption keys. The encrypted data includes data stored within Frame Platform as well all data stored in the workload VM disks, profile disks, and personal drives.
All communications between the system components are encrypted using TLS 1.2 (HTTPS and Secure WebSocket) and DTLS (FRP8, WebRTC).
Nutanix Frame supports the ability for customers to integrate their own enterprise SAML2 or OAuth2 identity provider with their Frame customer (or an organization) entity. Customers may integrate as many identity providers as they wish at the customer or organization entity levels.
Nutanix Frame provides customers who integrate an enterprise SAML2 or OAuth2 identity provider the ability to define authorization rules which grants users (or groups of users) the specified privileges to access or perform operations on specific protected resources.
Nutanix maintains a set of global certifications for Frame, including SOC 2 Type 2, SOC 3 and ISO 27001/27017/27018/27701. Details can be found at https://www.nutanix.com/trust/compliance-and-certifications.
For customers needing to operate under FedRAMP or ITAR compliance regimes, Nutanix Government Cloud has achieved FedRAMP Authorized status at a Moderate security impact level (IL-2). Customers must bring their own infrastructure to use Nutanix Government Cloud.