Information Security and Access Control Design for Cross Cloud Mobility for VMware Cloud Foundation

Information security and access control design details the design decisions for both users and groups, for integration authentication, access controls, and for password management.

Identity Management Design for Cross Cloud Mobility for VMware Cloud Foundation

As an Organization owner, you add users to your organization and provide access to the VMware Cloud on AWS and VMware HCX services.

As the cloud administrator for VMware Cloud services, you establish an integration with the identity provider of your organization. With this integration, you can use your organization's directory services for authentication to VMware Cloud. After the integration is established, you can control authorization to your organization and services by assigning an organization and service roles to users. The Organization owner role allows you to add users to your organization and to provide access to the VMware Cloud on AWS and VMware HCX services.

As an Organization owner, you can add and change the role assignment for users. In this solution, you assign an organization and service roles to users.

Table 1. Design Decisions on Identity Management for Cross Cloud Mobility
Decision ID	Design Decision	Design Justification	Design Implication
CCM-IAM-SEC-001	Limit the use of local accounts for interactive or API access, and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
CCM-IAM-SEC-002	Limit the scope and privileges for accounts used for interactive or API access, and solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
CCM-IAM-SEC-003	Assign VMware Cloud on AWS service roles to designated users.	To provide access to the VMware Cloud on AWS service, you assign users to service roles.	You must maintain the service roles required for users of your organization.
CCM-IAM-SEC-004	Assign VMware HCX service roles to designated users.	To provide access to the VMware HCX service, you assign users to service roles.	You must maintain the service roles required for users of your organization.

Service Account Design for Cross Cloud Mobility for VMware Cloud Foundation

To provide and control the integration between VMware HCX and vCenter Server and NSX Manager endpoints across VMware Cloud Foundation instances, you configure service accounts.

This solution ensures that the context of each integration uses the least privilege and permissions scope required for the integration.

Table 2. Design Decisions on Service Accounts for Cross Cloud Mobility
Decision ID	Design Decision	Design Justification	Design Implication
CCM-IAM-SEC-005	Define a custom vCenter Server role for VMware HCX with minimum privileges required to support the registration of a vCenter Server.	VMware HCX integrates with each VI workload domain vCenter Server instance using a minimum set of privileges required to support registration and management.	You must maintain the privileges required by the custom vSphere role. If additional VI workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, you must apply the custom role to each vCenter Single Sign-On domain.
CCM-IAM-SEC-006	Assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware HCX and vCenter Server.	Provides integration and data collection of objects managed by the vCenter Server for a given VI workload domain. Limiting the use of a service account reduces the risk in the case of either a security or a password-related event. Using a named Active Directory account provides for auditability unlike generic administrative accounts.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
CCM-IAM-SEC-007	Assign the default Enterprise Admin role in NSX Manager to a service account for each VI workload domain NSX Manager instance for application-to-application communication between VMware HCX and NSX.	VMware HCX integrates with each VI workload domain NSX Manager instance using a minimum set of privileges required to support registration and management.	None.

Password Management Design for Cross Cloud Mobility for VMware Cloud Foundation

Password management design details the design decisions covering password policy configuration and password management of the HCX Connector appliance.

Password Policies for the HCX Connector Appliance

Within an HCX Connector appliance, you can enforce password polices for access by using the appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the appliance. The password policies apply only to local user accounts.

Password Expiration Policy for the HCX Connector Appliance

You manage the password expiration policy on a per-user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 3. Default Password Expiration Policy for the HCX Connector Appliance
Local User	Setting	Default	Description
root	`maxdays`	`99999`	Maximum number of days between password change
	`mindays`	`0`	Minimum number of days between password change
	`warndays`	`7`	Number of days of warning before a password expires
admin	`maxdays`	`-1`	Maximum number of days between password change
	`mindays`	`-1`	Minimum number of days between password change
	`warndays`	`-1`	Number of days of warning before a password expires

Password Complexity Policy for the HCX Connector Appliance

You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 4. Default Password Complexity Policy for Local Users for the HCX Connector Appliance
Setting	Default	Description
`dcredit`	`1`	Maximum number of digits that will generate a credit
`ucredit`	`1`	Maximum number of uppercase characters that will generate a credit
`lcredit`	`1`	Maximum number of lowercase characters that will generate a credit
`ocredit`	`1`	Maximum number of other characters that will generate a credit
`minlen`	`8`	Minimum password length in character number
`minclass`	`4`	Minimum number of character types that must be used (that is, uppercase, lowercase, digits, other)
`difok`	`4`	Minimum number of characters that must be different from the old password
`retry`	`3`	Maximum number of retries
`maxrepeat`	`0`	Maximum number of times a single character may be repeated
`remember`	`10`	Maximum number of passwords the system remembers

Account Lockout Policy for the HCX Connector Appliance

You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 5. Default Account Lockout Policy for the HCX Connector Appliance
Setting	Default	Description
`deny`	`3`	Maximum number of authentication failures before the account is locked
`unlock_time`	`86400`	Amount of time in seconds that the account remains locked
`root_unlock_time`	`300`	Amount of time in seconds that the root account remains locked

Table 6. Design Decisions on Password Policies for Cross Cloud Mobility
Decision ID	Design Decision	Design Justification	Design Implication
CCM-IAM-SEC-008	Configure the local user password expiration policy for each HCX Connector appliance.	You configure the local user password expiration policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards. The local user password expiration policy is applicable to the root and admin accounts for the HCX Connector appliance.	You must manage the local user password expiration settings on each HCX Connector appliance by using the appliance console.
CCM-IAM-SEC-009	Configure the local user password complexity policy for each HCX Connector appliance.	You configure the local user password complexity policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards. The local user password complexity policy is applicable only to the local HCX Connector appliance users.	You must manage the local user password complexity settings on each HCX Connector appliance by using the appliance console.
CCM-IAM-SEC-010	Configure the local user account lockout policy for each HCX Connector appliance.	You configure the local user account lockout policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards. The local user account lockout policy is applicable only to the local HCX Connector appliance users.	You must manage the local user account lockout settings on each HCX Connector appliance by using the appliance console.

Password Management Design for Cross Cloud Mobility for VMware Cloud Foundation

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. To ensure continued access, you must manage the life cycle of the service account password used by the HCX Connector appliance for connecting to the workload domain vCenter Server and NSX Manager.

If a password expires, you must reset the password in the component. After you reset the password, you must remediate the password across components as required.

Table 7. Design Decisions on Password Management for Cross Cloud Mobility
Decision ID	Design Decision	Design Justification	Design Implication
CCM-IAM-SEC-011	For each vCenter Server, change the VMware HCX service account password on a recurring or event-initiated schedule.	To maintain a secure platform, you must rotate the VMware HCX service account passwords on a regular basis	Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance.
CCM-IAM-SEC-012	For each NSX Manager, change the VMware HCX service account password on a recurring or event-initiated schedule.	To maintain a secure platform, you must rotate the VMware HCX service account passwords on a regular basis.	Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance.
CCM-IAM-SEC-013	Change the HCX Connector appliance root and admin passwords on a recurring or event-initiated schedule.	The password for the HCX Connector appliance root and admin accounts never expires based on the default password expiration policy.	You must manage the password change for the root and the admin accounts. You must manage the password change on each HCX Connector appliance by using the virtual appliance console.

Certificate Management Design for Cross Cloud Mobility for VMware Cloud Foundation

The certificate management design consists of characteristics and decisions that support configuring signed certificates of the HCX Connector appliance in the management domain.

The HCX Connector user interface uses an HTTPS connection. By default, the HCX Connector appliance uses a self-signed certificate. To provide secure access to the HCX Connector user interface, replace the default self-signed certificates with a CA-signed certificate.

Table 8. Design Decisions on Certificate Management for Cross Cloud Mobility
Decision ID	Design Decision	Design Justification	Design Implication
CCM-IAM-SEC-014	Replace the default self-signed certificate with a CA-signed certificate during the deployment of the HCX Connector appliance.	Ensures that all communication to the user interface of the HCX Connector appliance is encrypted.	Replacing the default certificates with a trusted CA-signed certificate increases the deployment preparation time as certificates requests are generated and delivered. You must manage the life cycle of the certificate replacement. The SSL certificate key size must be 2048 or 4096 bits.
CCM-IAM-SEC-015	Use an SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and is deprecated.	Not all certificate authorities support SHA-2.
CCM-IAM-SEC-016	Rotate the CA-signed certificate of the HCX Connector appliance on a recurring or event-initiated schedule.	Ensures that all communication to the user interface of the HCX Connector appliance and between the components continues to be encrypted with a non-expired or non-compromised certificate.	Replacing the default certificates with a trusted CA-signed certificates might require preparation time as certificates requests are generated and delivered. You must continue to manage the life cycle of the certificate replacement. The SSL certificate key size must be 2048 or 4096 bits.