Information Security and Access Control Design for Cloud-Based Automation for VMware Cloud Foundation

Information security and access control details the design decisions for both users/groups and integrations authentication and access controls, as well as password and certificate management.

Identity Management Design for Cloud-Based Automation for VMware Cloud Foundation

As an organization owner, you add users to your organization and provide access to the for cloud-based automation services.

As the cloud administrator for cloud-based automation services, you establish an integration with your organization's identity provider which allows you to use your organization directory services for cloud-based automation authentication. After the integration, you can control authorization to your organization, services, and projects by assigning organization and service roles to users. The Organization owner role allows you to add users to your organization and provide access to the cloud-based automation services.

As an Organization owner, you can add and change the role assignment for users. In this solution, you assign organization, service, and project roles to users.

For more information about organization roles and their permissions, see the VMware Aria Automation documentation.

For information about the roles for the VMware Aria Automation services in this design, see

Table 1. Design Decisions on Identity Management for Cloud-Based Automation
Decision ID	Design Decision	Design Justification	Design Implication
CBA-IAM-SEC-001	Limit the use of local accounts for interactive or API access and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
CBA-IAM-SEC-002	Limit the scope and privileges for accounts used for interactive or API access and solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
CBA-IAM-SEC-003	Assign Cloud-Based Automation organization, service, and project roles to designated Active Directory users.	To provide access to Cloud-Based Automation services, you assign Active Directory users to organization and service roles.	None.

Service Accounts Design for VMware Aria Automation for Cloud-Based Automation for VMware Cloud Foundation

You add and configure accounts associated with other solutions to activate cloud accounts for vCenter Server instances and NSX Manager clusters across VMware Cloud Foundation instances. You configure the service accounts to provide and control integration between VMware Aria Automation Orchestrator-to-vCenter Server endpoint instances.

Accounts are assigned roles for integration between VMware Aria Automation Assembler and the VI workload domain vCenter Server instances and VI workload domain NSX Manager clusters across the VMware Cloud Foundation instances.

Note:

For an environment with NSX Federation, you configure NSX-T Manager cloud accounts for the VI workload domain NSX Local Manager instances.

This solution ensures that the context of each integration uses the least privilege and permissions scope required for the private cloud integrations.

Table 2. Design Decisions on Service Accounts for Cloud Accounts in VMware Aria Automation Assembler
Decision ID	Design Decision	Design Justification	Design Implication
CBA-CA-SEC-001	Define a custom vCenter Server role for VMware Aria Automation Assembler that has minimum privileges required to support a vCenter Server cloud account.	VMware Aria Automation Assembler integrates with VI workload domain vCenter Server instances using a minimum set of privileges required to support the cloud account.	You must maintain the privileges required by the custom vSphere role. If additional VI workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.
CBA-CA-SEC-002	Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware Aria Automation Assembler and vCenter Server.	Provides the following access control features: VMware Aria Automation Assembler accesses each VI workload domain vCenter Server instance with a minimum set of permissions. If there is a compromised account, the accessibility to the destination cloud account remains restricted. You can introduce an improved accountability in tracking request-response interactions between VMware Aria Automation Assembler and the vCenter Server endpoint in the cloud account.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
CBA-CA-SEC-003	Create and assign the NSXEnterprise admin role to an Active Directory user account as a service account for each VI workload domain NSX Manager instance for application-to-application communication between VMware Aria Automation Assembler and NSX.	Provides the following access control features: VMware Aria Automation Assembler accesses each VI workload domain NSX Manager with the minimum set of required permission. If there is a compromised account, the accessibility to the destination cloud account remains restricted. You can introduce an improved accountability in tracking request-response interactions between VMware Aria Automation Assembler and the NSX Manager endpoint in the cloud account.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.

Table 3. Design Decisions on Service Accounts for VMware Aria Automation Orchestrator
Decision ID	Design Decision	Design Justification	Design Implication
CBA-VRO-SEC-001	Define a custom vCenter Server role for VMware Aria Automation Orchestrator that has minimum privileges required to support adding VI workload domain vCenter Server instances.	VMware Aria Automation Orchestrator integrates with VI workload domain vCenter Server instances by using the minimum set of privileges required to support the vCenter Server registration.	You must maintain the privileges required by the custom vSphere role. If additional VMware Cloud Foundation instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain. VMware Aria Automation Orchestrator requires the Administrator level privilege to register a vCenter Server instance and can not be a restricted account. After the addition of VI workload domain, you can update and reduce the privileges for the custom role.
CBA-VRO-SEC-002	Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware Aria Automation Orchestrator and vCenter Server.	Provides the following access control features: VMware Aria Automation Orchestrator services access VI workload domain vCenter Server instances with the minimum set of required permissions. If there is a compromised account, the accessibility to the destination integration remains restricted. You can introduce an improved accountability in tracking request-response interactions between VMware Aria Automation Orchestrator and the vCenter Server instances.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.

Password Management Design for Cloud-Based Automation for VMware Cloud Foundation

Password management design details the design decisions covering password policy configuration and password management of the Cloud Proxy and Cloud Extensibility Proxy appliances.

Password Policies for the Cloud Proxy and Cloud Extensibility Proxy Appliances

Within the Cloud Proxy and Cloud Extensibility Proxy appliances, you can enforce password polices for access by using the virtual appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the virtual appliance. The password policies apply only to local user accounts.

Password Expiration Policy for the Cloud Proxy and Cloud Extensibility Proxy Appliances

You manage the password expiration policy on a user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 4. Default Password Expiration Policy for Cloud Proxy and Cloud Extensibility Proxy Appliances
Setting	Default	Description
`maxdays`	`90`	Maximum number of days between password change
`mindays`	`0`	Minimum number of days between password change
`warndays`	`7`	Number of days of warning before password expires

Password Complexity Policy for the Cloud Proxy and Cloud Extensibility Proxy Appliances

You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 5. Default Password Complexity Policy for Cloud Proxy and Cloud Extensibility Proxy Appliances
Setting	Default	Description
`dcredit`	`-1`	Maximum number of digits that generate a credit
`ucredit`	`-1`	Maximum number of uppercase characters that generate a credit
`lcredit`	`-1`	Maximum number of lowercase characters that generate a credit
`ocredit`	`-1`	Maximum number of other characters that generate a credit
`minlen`	`8`	Minimum password length
`minclass`	`4`	Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on)
`difok`	`4`	Minimum number of characters that must be different from the old password
`retry`	`3`	Maximum number of reties
`maxsequence`	`0`	Maximum number of times a single character can be repeated
`remember`	`3`	Maximum number of passwords the system remembers

Account Lockout Policy for the Cloud Proxy and Cloud Extensibility Proxy Appliances

You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 6. Default Account Lockout Policy for Cloud Proxy and Cloud Extensibility Proxy Appliances
Setting	Default	Description
`deny`	`3`	Maximum number of authentication failures before the account is locked
`unlock_time`	`600`	Amount of time in seconds that the account remains locked
`root_unlock_time`	`600`	Amount of time in seconds that the root account remains locked

Table 7. Design Decisions on Password Policies for Cloud Proxy and Cloud Extensibility Proxy Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBA-CDP-SEC-001	Configure the local user password expiration policy for each Cloud Proxy instance.	You configure the local user password expiration policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password expiration policy is applicable to the root account for the Cloud Proxy appliance.	You must manage the local user password expiration settings on each Cloud Proxy instance by using the appliance console.
CBA-CDP-SEC-002	Configure the local user password complexity policy for each Cloud Proxy instance.	You configure the local user password complexity policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password complexity policy is applicable only to the local Cloud Proxy appliance users.	You must manage the local user password complexity settings on each Cloud Proxy instance by using the appliance console.
CBA-CDP-SEC-003	Configure the local user account lockout policy for each Cloud Proxy instance.	You configure the local user account lockout policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user account lockout policy is applicable only to the local Cloud Proxy appliance users.	You must manage the local user account lockout settings on each Cloud Proxy instance by using the appliance console.
CBA-CEP-SEC-001	Configure the local user password expiration policy for each Cloud Extensibility Proxy instance.	You configure the local user password expiration policy for each Cloud Extensibility Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password expiration policy is applicable to the root account for the Cloud Extensibility Proxy appliance.	You must manage the local user password expiration settings on each Cloud Extensibility Proxy instance by using the appliance console.
CBA-CEP-SEC-002	Configure the local user password complexity policy for each Cloud Extensibility Proxy instance.	You configure the local user password complexity policy for each Cloud Extensibility Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password complexity policy is applicable only to the local Cloud Extensibility Proxy appliance users.	You must manage the local user password complexity settings on each Cloud Extensibility Proxy instance by using the appliance console.
CBA-CEP-SEC-003	Configure the local user account lockout policy for each Cloud Extensibility Proxy instance.	You configure the local user account lockout policy for each Cloud Extensibility Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user account lockout policy is applicable only to the local Cloud Extensibility Proxy appliance users.	You must manage the local user account lockout settings on each Cloud Extensibility Proxy instance by using the appliance console.

Password Management for the Cloud Proxy and Cloud Extensibility Proxy Appliances

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. To ensure continued access, you must manage the life cycle of the root account password for the Cloud Proxy and Cloud Extensibility Proxy appliances.

If a password expires, you must reset the password in the component. After you reset the password, you must remediate the password across components as required.

Table 8. Design Decisions on Password Management for Cloud Proxy and Cloud Extensibility Proxy Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBA-CDP-SEC-004	Change the Cloud Proxy root password on a recurring or event-initiated schedule.	By default, the password for the Cloud Proxy root account expires every 90 days.	None.
CBA-CEP-SEC-004	Change the Cloud Extensibility Proxy root password on a recurring or event-initiated schedule.	By default, the password for the Cloud Extensibility Proxy root account expires every 365 days.	None.

Certificate Management Design for VMware Aria Automation for Cloud-Based Automation for VMware Cloud Foundation

VMware Aria Automation Orchestrator user interface and API endpoint use HTTPS connections.

VMware Aria Automation Orchestrator Certificates

The VMware Aria Automation Orchestrator user interface and API endpoint use a secure connection to communicate with VI workload domain vCenter Server instances, database systems, LDAP, and other servers. You can import an SSL certificate from a URL or PEM file to replace the SSL certificate of the VMware Aria Automation Orchestrator instance.

Table 9. Design Decisions on Certificates for VMware Aria Automation Orchestrator
Decision ID	Design Decision	Design Justification	Design Implication
CBA-CEP-SEC-002	Use a certificate authority signed certificate containing the FQDN of the Cloud Extensibility appliance.	Ensures that all communications between the components and to the externally facing browser-based UI and API are encrypted.	Using certificates signed by a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered. You must manage the life cycle of the certificate.
CBA-CEP-SEC-003	Use a SHA-2 or higher algorithm for certificate signing.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2 or higher.