Information security and access control design details the design decisions for both users and groups, for integration authentication, access controls, and for password management.

Identity Management Design for Cloud-Based Workload Protection for VMware Cloud Foundation

As an Organization owner, you add users to your organization and provide access to the VMware Live Cyber Recovery, VMware Cloud on AWS, and VMware HCX services.

As the cloud administrator for VMware Cloud services, you establish an integration with the identity provider of your organization. With this integration, you can use your organization's directory services for authentication to VMware Cloud. After the integration is established, you can control authorization to your organization and services by assigning an organization and service roles to users. The Organization owner role allows you to add users to your organization and to provide access to the VMware Live Cyber Recovery, VMware Cloud on AWS, and VMware HCX services.

As an Organization owner, you can add and change the role assignment for users. In this solution, you assign an organization and service roles to users.

Table 1. Design Decisions on Identity Management for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-001

Limit the use of local accounts for interactive or API access, and solution integration.

Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.

You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.

CBW-IAM-SEC-002

Limit the scope and privileges for accounts used for interactive or API access and solution integration.

The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.

You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.

CBW-IAM-SEC-003

Assign VMware Live Cyber Recovery service roles to designated users.

To provide access to the VMware Live Cyber Recovery service, you assign users to service roles.

You must maintain the service roles required for users of your organization.

CBW-IAM-SEC-004

Assign VMware Cloud on AWS service roles to designated users.

To provide access to the VMware Cloud on AWS service, you assign users to service roles.

You must maintain the service roles required for users of your organization.

CBW-IAM-SEC-005

Assign VMware HCX service roles to designated users.

To provide access to the VMware HCX service, you assign users to service roles.

You must maintain the service roles required for users of your organization.

Service Account Design for Cloud-Based Workload Protection for VMware Cloud Foundation

To provide and control the integration between VMware Live Cyber Recovery, VMware HCX, and vCenter Server and NSX Manager endpoints across VMware Cloud Foundation instances, you configure service accounts.

This solution ensures that the context of each integration uses the least privilege and permissions scope required for the integration.

Table 2. Design Decisions on Service Accounts for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-006

Define a custom vCenter Server role for VMware Live Cyber Recovery with minimum privileges required to support the registration of a vCenter Server.

VMware Live Cyber Recovery integrates with each workload domain vCenter Server instance using a minimum set of privileges required to support registration.

  • You must maintain the privileges required by the custom vSphere role.

  • If additional workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, you must apply the custom role to each vCenter Single Sign-On domain.

CBW-IAM-SEC-007

Assign the custom vCenter Server role to a user from the vsphere.local domain as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware Live Cyber Recovery and vCenter Server.

  • Provides integration and data collection of objects managed by the vCenter Server for a given VI workload domain.

  • Limiting the use of a service account reduces the risk in the case of either a security or a password-related event.

  • Using a named vsphere.local account provides for auditability unlike generic administrative accounts.

You must maintain the life cycle, availability, and security controls for the account in the vsphere.local domain.

CBW-IAM-SEC-008

Define a custom vCenter Server role for VMware HCX with minimum privileges required to support the registration of a vCenter Server.

VMware HCX integrates with each VI workload domain vCenter Server instance using a minimum set of privileges required to support registration and management.

  • You must maintain the privileges required by the custom vSphere role.

  • If additional VI workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, you must apply the custom role to each vCenter Single Sign-On domain.

CBW-IAM-SEC-009

Assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware HCX and vCenter Server.

  • Provides integration and data collection of objects managed by the vCenter Server for a given VI workload domain.

  • Limiting the use of a service account reduces the risk in the case of either a security or a password-related event.

  • Using a named Active Directory account provides for auditability unlike generic administrative accounts.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBW-IAM-SEC-010

Assign the default Enterprise Admin role in NSX Manager to a service account for each VI workload domain NSX Manager instance for application-to-application communication between VMware HCX and NSX.

VMware HCX integrates with each VI workload domain NSX Manager instance using a minimum set of privileges required to support registration and management.

None.

Password Management Design for Cloud-Based Workload Protection for VMware Cloud Foundation

Password management design details the design decisions covering password policy configuration and password management of the VMware Live Cyber Recovery and HCX Connector appliances.

Password Policies for the HCX Connector Appliance

Within an HCX Connector appliance, you can enforce password polices for access by using the appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the appliance. The password policies apply only to local user accounts.

It is, however, not possible to enforce such policies on the VMware Live Cyber Recovery Connector appliance.

Password Expiration Policy for the HCX Connector Appliance

You manage the password expiration policy on a per-user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 3. Default Password Expiration Policy for the HCX Connector Appliance
Local User Setting Default Description
root maxdays -1 Maximum number of days between password change
mindays 0 Minimum number of days between password change
warndays 7 Number of days of warning before a password expires
admin maxdays -1 Maximum number of days between password change
mindays 0 Minimum number of days between password change
warndays 7 Number of days of warning before a password expires

Password Complexity Policy for the HCX Connector Appliance

You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 4. Default Password Complexity Policy for Local Users for the HCX Connector Appliance

Setting

Default

Description

dcredit

1

Maximum number of digits that will generate a credit

ucredit

1

Maximum number of uppercase characters that will generate a credit

lcredit

1

Maximum number of lowercase characters that will generate a credit

ocredit

1

Maximum number of other characters that will generate a credit

minlen 8

Minimum password length in character number

minclass

4

Minimum number of character types that must be used (that is, uppercase, lowercase, digits, other)

difok

4

Minimum number of characters that must be different from the old password

retry

3

Maximum number of retries

maxrepeat

0

Maximum number of times a single character may be repeated

remember

5

Maximum number of passwords the system remembers

Account Lockout Policy for the HCX Connector Appliance

You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 5. Default Account Lockout Policy for the HCX Connector Appliance

Setting

Default

Description

deny 3 Maximum number of authentication failures before the account is locked
unlock_time 60 Amount of time in seconds that the account remains locked
root_unlock_time 300 Amount of time in seconds that the root account remains locked
Table 6. Design Decisions on Password Policies for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-011

Configure the local user password expiration policy for each HCX Connector appliance.

  • You configure the local user password expiration policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password expiration policy is applicable to the root and the admin accounts for the HCX Connector appliance.

You must manage the local user password expiration settings on each HCX Connector appliance by using the appliance console.

CBW-IAM-SEC-012

Configure the local user password complexity policy for each HCX Connector appliance.

  • You configure the local user password complexity policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password complexity policy is applicable only to the local HCX Connector appliance users.

You must manage the local user password complexity settings on each HCX Connector appliance by using the appliance console.

CBW-IAM-SEC-013

Configure the local user account lockout policy for each HCX Connector appliance.

  • You configure the local user account lockout policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user account lockout policy is applicable only to the local HCX Connector appliance users.

You must manage the local user account lockout settings on each HCX Connector appliance by using the appliance console.

Password Management Design for Cloud-Based Workload Protection for VMware Cloud Foundation

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. To ensure continued access, you must manage the life cycle of the service account password used by the VMware Live Cyber Recovery and HCX Connector appliances for connecting to the workload domain vCenter Server and NSX Manager.

If a password expires, you must reset the password in the component. After you reset the password, you must remediate the password across components as required.

Table 7. Design Decisions on Password Management for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-014

For each vCenter Server, change the VMware Live Cyber Recovery service account password on a recurring or event-initiated schedule.

To maintain a secure platform, you must rotate the VMware Live Cyber Recovery service account passwords on a regular basis.

Performing password rotation for a service account is a manual process. You update the associated credentials in the VMware Live Cyber Recovery service.

CBW-IAM-SEC-015

For each vCenter Server, change the VMware HCX service account password on a recurring or event-initiated schedule.

To maintain a secure platform, you must rotate the VMware HCX service account passwords on a regular basis.

Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance.

CBW-IAM-SEC-016

For each NSX Manager, change the VMware HCX service account password on a recurring or event-initiated schedule.

To maintain a secure platform, you must rotate the VMware HCX service account passwords on a regular basis.

Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance.

CBW-IAM-SEC-017

Change the HCX Connector appliance root and admin passwords on a recurring or event-initiated schedule.

The password for the HCX Connector appliance root and admin accounts never expires based on the default password expiration policy.

  • You must manage the password change for the root and the admin accounts.

  • You must manage the password change on each HCX Connector appliance by using the virtual appliance console.

Certificate Management Design for Cloud-Based Workload Protection for VMware Cloud Foundation

The certificate management design consists of characteristics and decisions that support configuring signed certificates of the HCX Connector appliance in the management domain.

The HCX Connector user interface uses an HTTPS connection. By default, the HCX Connector appliance uses a self-signed certificate. To provide secure access to the HCX Connector user interface, replace the default self-signed certificates with a CA-signed certificate.

Table 8. Design Decisions on Certificate Management for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-018

Replace the default self-signed certificate with a CA-signed certificate during the deployment of the HCX Connector appliance.

Ensures that all communication to the user interface of the HCX Connector appliance is encrypted.

  • Replacing the default certificates with a trusted CA-signed certificate increases the deployment preparation time as certificates requests are generated and delivered.

  • You must manage the life cycle of the certificate replacement.

  • The SSL certificate key size must be 2048 or 4096 bits.

CBW-IAM-SEC-019

Use an SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and is deprecated.

Not all certificate authorities support SHA-2.

CBW-IAM-SEC-020

Rotate the CA-signed certificate of the HCX Connector appliance on a recurring or event-initiated schedule.

Ensures that all communication to the user interface of the HCX Connector appliance and between the components continues to be encrypted with a non-expired or non-compromised certificate.

  • Replacing the default certificates with a trusted CA-signed certificate might require preparation time as certificates requests are generated and delivered.

  • You must continue to manage the life cycle of the certificate replacement.

  • The SSL certificate key size must be 2048 or 4096 bits.