Information Security and Access Control Design for Health Reporting and Monitoring for VMware Cloud Foundation

Information security and access control design details the design decisions for both users and groups, for integration authentication, access controls, and for password management.

Identity Management Design for Health Reporting and Monitoring for VMware Cloud Foundation

You use accounts with least privilege access for authentication and authorization between the host virtual machine, SDDC Manager, and VMware Aria Operations.

You establish integration with the identity provider of your organization with vCenter Single Sign-On through the use of the the Identity and Access Management for VMware Cloud Foundation validated solution. With this integration, SDDC Manager uses your organization's directory services for authentication through vCenter Server Single Sign-On. You control authorization to SDDC Manager by assigning roles to users or service accounts from your identity provider.

You establish integration with the identity provider of your organization with clustered Workspace ONE Access through the use of the Intelligent Operations Management for VMware Cloud Foundation validated solution. With this integration you synchronise users from your organization's directory services with Workspace ONE Access and then manage access to VMware Aria Operations, by assigning roles to users or service accounts from your identity provider.

Table 1. Design Decisions on Identity Management for Health Reporting and Monitoring for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
HRM-SEC-001	Limit the use of local accounts for interactive or API access and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
HRM-SEC-002	Limit the scope and privileges for accounts used for interactive or API access and solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
HRM-SEC-003	Assign an SDDC Manager role to a designated service account.	To provide least privilege access to SDDC Manager you assign the service account to a role.	None.
HRM-SEC-004	Assign a custom VMware Aria Operations role to a designated service account.	To provide least privilege access to VMware Aria Operations you assign the service account to a custom role.	You must maintain the custom role required for service account of your organization.

Service Accounts Design for Health Reporting and Monitoring for VMware Cloud Foundation

To enable connectivity between the components of the Health Reporting and Monitoring forVMware Cloud Foundation validation solution, you configure service accounts with least privilege access to SDDC Manager and VMware Aria Operations.

This solution ensures that the context of each integration and its associated service account use a least privilege and permissions scope.

The host virtual machine requires credentials that allows for least privilege access to SDDC Manager and VMware Aria Operations.

The PowerShell Module for VMware Cloud Foundation Reporting requires the following access to SDDC Manager:

VMware Cloud Foundation API
Appliance Console Access

The Python Module for VMware Cloud Foundation Health Monitoring in VMware Aria Operations requires access to:

VMware Aria Operations REST API

Table 2. Design Decisions on Service Accounts for Health Reporting and Monitoring for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
HRM-PWSH-SEC-001	Assign the ADMIN role to an Active Directory user account in each SDDC Manager instance for application-to-application communication between the PowerShell Module for VMware Cloud Foundation Reporting and SDDC Manager.	To generate reports by using the PowerShell Module for VMware Cloud Foundation Reporting, the service account requires the ADMIN role for least privilege access.	You must maintain the life cycle and availability of the service account outside of the SDDC stack.
HRM-PY-SEC-001	Create a custom role in VMware Aria Operations and assign it to an Active Directory user account for application-to-application communication between the Python Module for VMware Cloud Foundation Health Monitoring in VMware Aria Operations.	A custom role with least privileges is required to provide access to the REST API to push custom metrics to VMware Aria Operations.	You must maintain the life cycle and availability of the service account outside of the SDDC stack. You must maintain the synchronization and availability of the service account in Workspace ONE Access.
HRM-PY-SEC-002	Import the service account to the Everyone user group in VMware Aria Operations.	The Everyone user group has no roles and scopes. You need to assign the scope and custom role to the service account.	No restrictions to limit access in VMware Aria Operations.
HRM-PY-SEC-003	Assign the scope of permissions to the custom role in VMware Aria Operations.	Provide the limited permission to required adapter instances.	Limits access to objects to a custom role in VMware Aria Operations. This narrows the service account access to only NSX, vCenter, VMware Cloud Foundation, and vSAN adapter instance objects.

Password Management Design for Health Reporting and Monitoring for VMware Cloud Foundation

Password management design details the design decisions covering password policy configuration and password management.

Password Policies for Health Reporting and Monitoring

Configuring password policies includes the configuration of password expiration, complexity, and account lockout policies according to the requirements of your organization which can be based on industry or internal compliance standards.

Table 3. Design Decisions on Password Policies for Health Reporting and Monitoring for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
HRM-VM-SEC-001	Configure the local user password expiration policy for the host virtual machine.	You configure the local user password expiration policy for the host virtual machine to align with the requirements of your organization.	You must manage the local user password expiration settings on the host virtual machine.
HRM-VM-SEC-002	Configure the local user password complexity policy for the host virtual machine.	You configure the local user password complexity policy for the host virtual machine to align with the requirements of your organization.	You must manage the local user password complexity settings on the host virtual machine.
HRM-VM-SEC-003	Configure the local user account lockout policy for the host virtual machine.	You configure the local user account lockout policy for the host virtual machine to align with the requirements of your organization.	You must manage the local user account lockout settings on the host virtual machine.

Password Management for Health Reporting and Monitoring

Changing the passwords periodically or when certain events occur, increases the security posture and health of the system. To ensure continued access, you must manage the life cycle of the service account passwords for integration with SDDC Manager and VMware Aria Operations. After you reset the password, you must re-generate the encrypted passwords for the Python Module for VMware Cloud Foundation Health Monitoring in VMware Aria Operations. See Encrypt the Service Account Passwords Used by the Python Module.

Table 4. Design Decisions on Password Management for Health Reporting and Monitoring for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
HRM-SEC-005	If the SDDC Manager service account is changed, update the user credentials in the sddc_manager section of the env.json.	You must manually re-establish authentication to SDDC Manager after the service account is changed (including a password change) to ensure that the Python Module for VMware Cloud Foundation Health Monitoring has the correct credentials and access.	You must update the user credentials manually.
HRM-SEC-006	If the VMware Aria Operations service account is changed, update the user credentials in the vrops section of the env.json file.	You must manually re-establish authentication to VMware Aria Operations after service account is changed (including a password change) to ensure that the Python Module for VMware Cloud Foundation Health Monitoring has the correct credentials and access.	You must update the user credentials manually.
HRM-SEC-007	Encrypt the passwords for SDDC Manager and VMware Aria Operations service accounts by running encrypt-passwords.py Python script.	Password encryption enhances the security of the communication between the applications.	You must manually run the Python script to encrypt the passwords.