When we examine security and network isolation in this document, we are looking to assess the risk that network separation and traffic isolation controls are insufficient, and to choose the recommended corrective actions.
When looking at network segmentation, we have a notion of a trust zone. Trust zones are a proactive security control to control access to network traffic. A trust zone is loosely defined as a network segment within which data flows relatively freely, whereas data flowing in and out of the trust zone is subject to stronger restrictions. Examples of trust zones include:
- Perimeter networks (also called demilitarized zones or DMZs)
- Payment-card industry (PCI) cardholder data environment
- Site-specific zones, such as segmentation according to department or function
- Application-defined zones, such as the three tiers of a Web application
Security and the Underlying Virtualization Layer
A significant portion of vCloud Director security, especially in protecting cloud tenants from internal threats, comes from the security design and the specific configuration of the underlying virtualization layer. This includes the design and configuration of vSphere, the additional security of vCloud Director software-defined networks, the leveraging of NSX technology, and the security of the ESXi hosts themselves.