VMware vCloud Director is a flexible system for providing cloud computing services. It leverages and extends VMware's core virtualization and management technologies for support of cloud environments.

Because the system was developed and tested with multitenancy, scalability and other security concerns in mind, the way in which it is deployed can have a significant impact on the security of the overall system. This document describes some possible threats the system faces, as well the security features provided by the overall VMware software stack and the related components it uses, such as databases.

No set of guidelines can cover all possible customer use cases. Each deployment of vCloud Director may have its own IT environment, with differences in network topology, internal security systems and standards, customer requirements, and use cases. Some general guidelines will be given to increase the overall security of the system. Where appropriate, more specific usage scenarios will also be considered along with guidance tailored to those particular cases. Nevertheless, the specific recommendations from this guide that you choose to follow will ultimately depend on your unique deployment environment, as well as the threats you determine to be a risk for your organization and wish to mitigate.

In general, threats to vCloud Director fall into two separate baskets: internal threats and external threats. Internal threats typically involve issues of multitenancy, and external threats target the security of the hosted cloud environment, but those lines are not hard and fast. There are internal threats that attack the security of the hosting environment, for example.

In addition to following the guidance in this document, you should monitor the security advisories at http://www.vmware.com/security/advisories.html and sign up for email alerts using the form on that page. Additional security guidance and late-breaking advisories for vCloud Director will be posted there.

Scope of Recommendations

Recommendations provided in this guide are limited to the management of security issues specific to vCloud Director. As a Web application hosted on a Linux platform, vCloud Director is subject to the security vulnerabilities present in those two categories, all of which are documented elsewhere.

It is also important to remember that secure deployment of software is only part of an overall security process, which includes physical security, training, operational procedures, patch strategy, escalation and response plans, disaster recovery, and many other topics. Most of these ancillary topics are not discussed in this guide.