Across all regulations or standards, security principles dictate the mindset for applying security controls in VMware Cloud Foundation.

The security concepts are treated as guiding principles to develop a secure VMware Cloud Foundation environment that leverages capabilities available across all products. These principles do not only result in the configurations identified in this guidance but are also inherent in product capabilities. Organizations that leverage these guidelines can expand these capabilities across the Software-Defined Data Center to include people, process, and technology controls. Each organization must tailor these principles and prioritize how they approach them.

Separation of duties
  • Assign roles to users to separate conflicts of duty

  • Roles can be customized and further tailored as needed.

  • Restrict the use of super users

  • Create service accounts where possible

  • Create separate accounts for system-to-system communication

  • Separate production from development environments

  • Evaluate access to create, edit, or delete permissions

  • Assign only read-only access where possible

Least privilege
  • Disable unused services

  • Do not grant or retain permissions longer than needed

Confidentiality - Integrity - Availability (CIA)
  • Protect the data and the assets used to access it

  • Confidentiality applies to the authorization to access the data

  • Integrity applies to the authorization to modify the data

  • Availability applies to the accessibility to access the data

Defense in depth
  • Do not allow lateral movement

  • Isolate environments

  • Patch systems

  • Implement layered security

Zero trust
  • Implicit access denial regardless of origin

  • Treat internal network as a potential threat vector

  • Access is restricted via a trust broker

  • Applications are hidden from discovery

Secure Software Development Life-Cycle (SDLC)
  • VMware performs static code analysis

  • VMware performs penetration testing

  • VMware performs vulnerability scan

  • Align development with VMware internal vSECR software development security guidelines/procedures

Data in transit protection
  • Encryption of virtual machines during migration between hosts

  • Use of encrypted mechanism when a super user is interacting with server consoles

Data at rest protection
  • Encryption of virtual machines while powered off (at rest)

Trusted Computing Base (TCB)
  • Architecture view that brings together the collection of all the hardware, software, and firmware components (including the security kernel and reference monitor)

  • Brings a unified security policy and baseline consistent across various layers, abstractions, and detailed components to meet security requirements.