Information security and access control design details the design decisions for both users and groups, for integration authentication, access controls, and for password management.
Identity Management Design for Cloud-Based Workload Protection for VMware Cloud Foundation
As an Organization owner, you add users to your organization and provide access to the VMware Live Cyber Recovery, VMware Cloud on AWS, and VMware HCX services.
As the cloud administrator for VMware Cloud services, you establish an integration with the identity provider of your organization. With this integration, you can use your organization's directory services for authentication to VMware Cloud. After the integration is established, you can control authorization to your organization and services by assigning an organization and service roles to users. The Organization owner role allows you to add users to your organization and to provide access to the VMware Live Cyber Recovery, VMware Cloud on AWS, and VMware HCX services.
As an Organization owner, you can add and change the role assignment for users. In this solution, you assign an organization and service roles to users.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBW-IAM-SEC-001 |
Limit the use of local accounts for interactive or API access, and solution integration. |
Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity. |
You must define and manage service accounts, security groups, group membership, and security controls in Active Directory. |
CBW-IAM-SEC-002 |
Limit the scope and privileges for accounts used for interactive or API access and solution integration. |
The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy. |
You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration. |
CBW-IAM-SEC-003 |
Assign VMware Live Cyber Recovery service roles to designated users. |
To provide access to the VMware Live Cyber Recovery service, you assign users to service roles. |
You must maintain the service roles required for users of your organization. |
CBW-IAM-SEC-004 |
Assign VMware Cloud on AWS service roles to designated users. |
To provide access to the VMware Cloud on AWS service, you assign users to service roles. |
You must maintain the service roles required for users of your organization. |
CBW-IAM-SEC-005 |
Assign VMware HCX service roles to designated users. |
To provide access to the VMware HCX service, you assign users to service roles. |
You must maintain the service roles required for users of your organization. |
Service Account Design for Cloud-Based Workload Protection for VMware Cloud Foundation
To provide and control the integration between VMware Live Cyber Recovery, VMware HCX, and vCenter Server and NSX Manager endpoints across VMware Cloud Foundation instances, you configure service accounts.
This solution ensures that the context of each integration uses the least privilege and permissions scope required for the integration.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBW-IAM-SEC-006 |
Define a custom vCenter Server role for VMware Live Cyber Recovery with minimum privileges required to support the registration of a vCenter Server. |
VMware Live Cyber Recovery integrates with each workload domain vCenter Server instance using a minimum set of privileges required to support registration. |
|
CBW-IAM-SEC-007 |
Assign the custom vCenter Server role to a user from the vsphere.local domain as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware Live Cyber Recovery and vCenter Server. |
|
You must maintain the life cycle, availability, and security controls for the account in the vsphere.local domain. |
CBW-IAM-SEC-008 |
Define a custom vCenter Server role for VMware HCX with minimum privileges required to support the registration of a vCenter Server. |
VMware HCX integrates with each VI workload domain vCenter Server instance using a minimum set of privileges required to support registration and management. |
|
CBW-IAM-SEC-009 |
Assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware HCX and vCenter Server. |
|
You must maintain the life cycle, availability, and security controls for the account in Active Directory. |
CBW-IAM-SEC-010 |
Assign the default Enterprise Admin role in NSX Manager to a service account for each VI workload domain NSX Manager instance for application-to-application communication between VMware HCX and NSX. |
VMware HCX integrates with each VI workload domain NSX Manager instance using a minimum set of privileges required to support registration and management. |
None. |
Password Management Design for Cloud-Based Workload Protection for VMware Cloud Foundation
Password management design details the design decisions covering password policy configuration and password management of the VMware Live Cyber Recovery and HCX Connector appliances.
Password Policies for the HCX Connector Appliance
Within an HCX Connector appliance, you can enforce password polices for access by using the appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the appliance. The password policies apply only to local user accounts.
It is, however, not possible to enforce such policies on the VMware Live Cyber Recovery Connector appliance.
Password Expiration Policy for the HCX Connector Appliance
You manage the password expiration policy on a per-user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.
Local User | Setting | Default | Description |
---|---|---|---|
root | maxdays |
-1 | Maximum number of days between password change |
mindays |
0 | Minimum number of days between password change | |
warndays |
7 | Number of days of warning before a password expires | |
admin | maxdays |
-1 | Maximum number of days between password change |
mindays |
0 | Minimum number of days between password change | |
warndays |
7 | Number of days of warning before a password expires |
Password Complexity Policy for the HCX Connector Appliance
You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
|
1 | Maximum number of digits that will generate a credit |
|
1 |
Maximum number of uppercase characters that will generate a credit |
|
1 |
Maximum number of lowercase characters that will generate a credit |
|
1 |
Maximum number of other characters that will generate a credit |
minlen |
8 | Minimum password length in character number |
|
4 |
Minimum number of character types that must be used (that is, uppercase, lowercase, digits, other) |
|
4 |
Minimum number of characters that must be different from the old password |
|
3 |
Maximum number of retries |
|
0 |
Maximum number of times a single character may be repeated |
|
5 |
Maximum number of passwords the system remembers |
Account Lockout Policy for the HCX Connector Appliance
You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.
Setting |
Default |
Description |
---|---|---|
deny |
3 | Maximum number of authentication failures before the account is locked |
unlock_time |
60 | Amount of time in seconds that the account remains locked |
root_unlock_time |
300 | Amount of time in seconds that the root account remains locked |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBW-IAM-SEC-011 |
Configure the local user password expiration policy for each HCX Connector appliance. |
|
You must manage the local user password expiration settings on each HCX Connector appliance by using the appliance console. |
CBW-IAM-SEC-012 |
Configure the local user password complexity policy for each HCX Connector appliance. |
|
You must manage the local user password complexity settings on each HCX Connector appliance by using the appliance console. |
CBW-IAM-SEC-013 |
Configure the local user account lockout policy for each HCX Connector appliance. |
|
You must manage the local user account lockout settings on each HCX Connector appliance by using the appliance console. |
Password Management Design for Cloud-Based Workload Protection for VMware Cloud Foundation
Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. To ensure continued access, you must manage the life cycle of the service account password used by the VMware Live Cyber Recovery and HCX Connector appliances for connecting to the workload domain vCenter Server and NSX Manager.
If a password expires, you must reset the password in the component. After you reset the password, you must remediate the password across components as required.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBW-IAM-SEC-014 |
For each vCenter Server, change the VMware Live Cyber Recovery service account password on a recurring or event-initiated schedule. |
To maintain a secure platform, you must rotate the VMware Live Cyber Recovery service account passwords on a regular basis. |
Performing password rotation for a service account is a manual process. You update the associated credentials in the VMware Live Cyber Recovery service. |
CBW-IAM-SEC-015 |
For each vCenter Server, change the VMware HCX service account password on a recurring or event-initiated schedule. |
To maintain a secure platform, you must rotate the VMware HCX service account passwords on a regular basis. |
Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance. |
CBW-IAM-SEC-016 |
For each NSX Manager, change the VMware HCX service account password on a recurring or event-initiated schedule. |
To maintain a secure platform, you must rotate the VMware HCX service account passwords on a regular basis. |
Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance. |
CBW-IAM-SEC-017 |
Change the HCX Connector appliance root and admin passwords on a recurring or event-initiated schedule. |
The password for the HCX Connector appliance root and admin accounts never expires based on the default password expiration policy. |
|
Certificate Management Design for Cloud-Based Workload Protection for VMware Cloud Foundation
The certificate management design consists of characteristics and decisions that support configuring signed certificates of the HCX Connector appliance in the management domain.
The HCX Connector user interface uses an HTTPS connection. By default, the HCX Connector appliance uses a self-signed certificate. To provide secure access to the HCX Connector user interface, replace the default self-signed certificates with a CA-signed certificate.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBW-IAM-SEC-018 |
Replace the default self-signed certificate with a CA-signed certificate during the deployment of the HCX Connector appliance. |
Ensures that all communication to the user interface of the HCX Connector appliance is encrypted. |
|
CBW-IAM-SEC-019 |
Use an SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and is deprecated. |
Not all certificate authorities support SHA-2. |
CBW-IAM-SEC-020 |
Rotate the CA-signed certificate of the HCX Connector appliance on a recurring or event-initiated schedule. |
Ensures that all communication to the user interface of the HCX Connector appliance and between the components continues to be encrypted with a non-expired or non-compromised certificate. |
|