Security threats to vCloud Director can be broadly categorized as either internal threats that originate within the system and its tenants, or external threats that originate outside the system. This latter category includes threats to the infrastructure created to host a vCloud Director server group and threats to the installed vCloud Director software.
Multitenancy and Internal Threats
vCloud Director is designed to give tenants managed access to VMware vSphere ® network, computing and storage resources. Tenant users can log into vCloud Director and are generally given rights to deploy and/or use virtual machines, use storage, run applications, and (to a limited extent) share resources with other users.
One of the key features of vCloud Director is that it does not provide direct visibility or access to most system-level resources — including physical host information such as IP addresses, MAC addresses, CPU type, ESXi access, physical storage locations, and so on — to non administrative users. However, users may still attempt to gain access to information about the system infrastructure on which their cloud-enabled applications run. If they were able to do so, they might be able to better launch attacks against the lower levels of the system.
Even at the level of virtualized resources, users can attempt to use their legitimate access to obtain unauthorized access to parts of the system they are not entitled to, such as resources that belong to another organization. They might attempt privilege escalation, in particular, obtaining access to actions reserved for administrators. Users may also attempt actions that, intentionally or not, disrupt the overall availability and performance of the system, in extreme cases resulting in a "denial of service" for other users.
In addition, a variety of administrative users generally exist. These include the system administrator for a vCloud Director site, tenant organization administrators, administrators of databases and networks, and users with access rights to ESXi, vCenter, and guest operating systems that run management tools. These users have higher privileges compared to ordinary users, and usually have direct login to internal systems. Nevertheless their privileges are not unlimited. There is a potential threat that they too may attempt privilege escalation or take harmful actions.
As will be seen, the security of vCloud Director from these threats comes from the architecture, design, and implementation of vCloud Director, vSphere, and VMware NSX ™, along with other security systems, and the infrastructure on which these systems are deployed. Due to the flexibility and dynamic nature of these systems, it is critical to follow the applicable security configuration guidance for all these components.
Secure Hosting and External Threats
The sources of external threats are systems and users from outside the cloud, including the Internet, attacking vCloud Director through its APIs and Web interfaces (the vCloud Director Web Console and vCloud Director Tenant Portal), as well as the vApp transfer service and the virtual machine remote console. A remote user who has no access rights to the system can attempt to gain access as an authorized user. Authenticated users of those interfaces can also be considered to be the sources of external threats, as they may try to exploit vulnerabilities in the system not available to unauthenticated users.
Typically, these actors attempt to exploit flaws in the system implementation or its deployment in order to obtain information, acquire access to services, or simply to disrupt the operation of the cloud through loss of system availability or system and information integrity. As the description of these attacks implies, some of these attacks violate the tenant boundaries and hardware abstraction layers that vCloud Director attempts to enforce. While the deployment of the different layers of the system affects the mitigation of these threats, the externally facing interfaces, including firewalls, routers, VPNs, and so on, are of utmost concern.