Information Security and Access Control Design for Cloud-Based Intelligent Operations for VMware Cloud Foundation

Information security and access control design details the design decisions for both users and groups, for integration authentication, access controls, and for password management.

Identity Management Design for Cloud-Based Intelligent Operations for VMware Cloud Foundation

As an Organization owner, you add users to your organization and provide access to the VMware Aria Operations services.

As the cloud administrator for VMware Cloud services, you establish an integration with the identity provider of your organization. With this integration, you can use your organization directory services for authentication to VMware Cloud. After the integration, you can control authorization to your organization, services, and projects by assigning an organization and service roles to users. The Organization owner role allows you to add users to your organization and to provide access to the VMware Aria Operations service.

As an Organization owner, you can add and change the role assignment for users. In this solution, you assign an organization and service roles to users.

Table 1. Design Decisions on Identity Management for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-IAM-SEC-001	Limit the use of local accounts for interactive or API access and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
CBO-IAM-SEC-002	Limit the scope and privileges for accounts used for interactive or API access and solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
CBO-IAM-SEC-003	Assign VMware Aria Operations service roles to designated users.	To provide access to VMware Aria Operations service, you assign users to service roles.	You must maintain the service roles required for users of your organization.

Service Accounts Design for VMware Aria Operations for Cloud-Based Intelligent Operations for VMware Cloud Foundation

To activate cloud accounts for vCenter Server and SDDC Manager across VMware Cloud Foundation instances, you add and configure service accounts associated with other solutions.

This solution ensures that the context of each integration and its associated cloud account use the least privilege and permissions scope required for the integration.

Table 2. Design Decisions on Service Accounts for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-OPS-SEC-001	Create and assign least privilege access to an Active Directory user account as a service account in each SDDC Manager instance for application-to-application communication between VMware Aria Operations and SDDC Manager.	Provides integration and data collection of objects managed by SDDC Manager for a VMware Cloud Foundation instance.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
CBO-OPS-SEC-002	Define a custom vCenter Server role for VMware Aria Operations that has minimum privileges required to support a vCenter Server cloud account.	VMware Aria Operations integrates with each workload domain vCenter Server instances using a minimum set of privileges required to support the cloud account.	You must maintain the privileges required by the custom vSphere role. If additional workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.
CBO-OPS-SEC-003	Create and assign the Enterprise Admin role using an NSX client certificate credential for each Workload Domain NSX Local Manager instance for application-to-application communication between VMware Aria Operations and NSX Manager.	Provides integration and data collection of objects managed by NSX Manager for a given workload domain. Client certificate credentials remove the need to protect and maintain either a local or Active Directory Domain account and password.	You must manage the credential and the life cycle management of certificates and their corresponding private keys.
CBO-OPS-SEC-004	Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each workload domain vCenter Server instance for application-to-application communication between VMware Aria Operations and vCenter Server.	Provides integration and data collection of objects managed by the vCenter Server for a given workload domain. Limiting the use of a service account reduces the risk in the case of either a security or a password-related event. Using a named Active Directory account provides for auditability unlike generic administrative accounts.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
CBO-OPS-SEC-005	Use the vCenter Server service account for data collection on vSAN cloud accounts.	As a service managed by vCenter Server, vSAN does not require separate credentials for the integration to function.	None.

Password Management Design for Cloud-Based Intelligent Operations for VMware Cloud Foundation

Password management design details the design decisions covering password policy configuration and password management of the Cloud Proxy appliance.

Password Policies for the Cloud Proxy Appliance

Within a Cloud Proxy appliance, you can enforce password polices for access by using the appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the appliance. The password policies apply only to local user accounts.

Password Expiration Policy for the Cloud Proxy Appliance

You manage the password expiration policy on a user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 3. Default Password Expiration Policy for the Cloud Proxy Appliance
Setting	Default	Description
`maxdays`	`90`	Maximum number of days between password change
`mindays`	`0`	Minimum number of days between password change.
`warndays`	`7`	Number of days of warning before password expires

Password Complexity Policy for the Cloud Proxy Appliance

You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 4. Default Password Complexity Policy for the Cloud Proxy Appliance
Setting	Default	Description
`dcredit`	`-1`	Maximum number of digits that generate a credit
`ucredit`	`-1`	Maximum number of uppercase characters that generate a credit
`lcredit`	`-1`	Maximum number of lowercase characters that generate a credit
`ocredit`	`-1`	Maximum number of other characters that generate a credit
`minlen`	`8`	Minimum password length
`minclass`	`4`	Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on)
`difok`	`4`	Minimum number of characters that must be different from the old password
`retry`	`3`	Maximum number of reties
`maxsequence`	`0`	Maximum number of times a single character can be repeated
`remember`	`3`	Maximum number of passwords the system remembers

Account Lockout Policy for the Cloud Proxy Appliance

You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 5. Default Account Lockout Policy for the Cloud Proxy Appliance
Setting	Default	Description
`deny`	`3`	Maximum number of authentication failures before the account is locked
`unlock_time`	`600`	Amount of time in seconds that the account remains locked
`root_unlock_time`	`600`	Amount of time in seconds that the root account remains locked

Table 6. Design Decisions on Password Policies for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-SEC-001	Configure the local user password expiration policy for each Cloud Proxy instance.	You configure the local user password expiration policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password expiration policy is applicable to the root account for the Cloud Proxy appliance.	You must manage the local user password expiration settings on each Cloud Proxy instance by using the appliance console.
CBO-CDP-SEC-002	Configure the local user password complexity policy for each Cloud Proxy instance.	You configure the local user password complexity policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password complexity policy is applicable only to the local Cloud Proxy appliance users.	You must manage the local user password complexity settings on each Cloud Proxy instance by using the appliance console.
CBO-CDP-SEC-003	Configure the local user account lockout policy for each Cloud Proxy instance.	You configure the local user account lockout policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user account lockout policy is applicable only to the local Cloud Proxy appliance users.	You must manage the local user account lockout settings on each Cloud Proxy instance by using the appliance console.

Password Management for the Cloud Proxy Appliance

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. To ensure continued access, you must manage the life cycle of the root account password for the Cloud Proxy appliance.

If a password expires, you must reset the password in the component. After you reset the password, you must remediate the password across components as required.

Table 7. Design Decisions on Password Management for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-SEC-004	Change the root password for each Cloud Proxy appliance on a recurring or event-initiated schedule.	By default, the password for the Cloud Proxy appliance root account expires every 90 days.	You must manage the local user password expiration settings on each Cloud Proxy appliance using the virtual appliance console.
CBO-OPS-SEC-006	For each vCenter Server cloud account, change the service account password on a recurring or event-initiated schedule.	In order to maintain a secure platform, the service account passwords should be rotated on a regular basis.	Performing password rotation for a service account is a manual process. Update the associated credentials in the VMware Aria Operations service.
CBO-OPS-SEC-007	For each SDDC Manager cloud account, change the service account password on a recurring or event-initiated schedule.	In order to maintain a secure platform, the service account passwords should be rotated on a regular basis.	Performing password rotation for a service account is a manual process. Update the associated credentials in the VMware Aria Operations service.