Information Security and Access Design for Site Protection and Disaster Recovery for VMware Cloud Foundation

Information security and access design details the design decisions covering authentication and access controls for Site Recovery Manager and vSphere Replication, as well as password and certificate management.

Identity Management Design for Site Protection and Disaster Recovery for VMware Cloud Foundation

You use a service account for authentication and authorization of Site Recovery Manager to vCenter Server for orchestrated disaster recovery of the SDDC.

Table 1. Design Decisions on Identity Management for Site Recovery Manager and vSphere Replication
Decision ID	Design Decision	Justification	Implication
SPR-SRM-SEC-001	Configure a service account in vCenter Server for application-to-application communication from Site Recovery Manager to vSphere. This user account must be a member of the vCenter Single Sign-On administrator group.	Provides the following access control features: Site Recovery Manager accesses vSphere with the required set of permissions to perform disaster recovery failover orchestration and site pairing. In the event of a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the service account's life cycle outside of VMware Cloud Foundation to ensure its availability.
SPR-VR-SEC-002	Configure a service account in vCenter Server for application-to-application communication from vSphere Replication to vSphere. This user account must be a member of the vCenter Single Sign-On administrator group.	Provides the following access control features: vSphere Replication accesses vSphere with the required set of permissions that to perform site to site replication of virtual machines. In the event of a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the service account's life cycle outside of VMware Cloud Foundation to ensure its availability.
SPR-VR-SEC-003	Use global permissions when you create the Site Recovery Manager and vSphere Replication service accounts in vCenter Server.	Simplifies and standardizes the deployment of the service account across all vCenter Server instances in the same vSphere domain. Provides a consistent authorization layer. If you deploy more Site Recovery Manager instances, reduces the efforts in connecting them to the vCenter Server instances.	All vCenter Server instances must be in the same vSphere domain.

Password Management Design for Site Protection and Disaster Recovery for VMware Cloud Foundation

To ensure continued access to vSphere Replication and Site Recovery Manager, you must manage the life cycle of the accounts passwords for the vSphere Replication and the Site Recovery Manager appliances.

As the vSphere Replication and the Site Recovery Manager appliances are not integrated with VMware Cloud Foundation, SDDC Manager does not manage the life cycle of the local user accounts.

Password Policies for vSphere Replication and Site Recovery Manager

Within the vSphere Replication and the Site Recovery Manager appliances, you can enforce password polices for access through the virtual appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the virtual appliance. The password policies apply only to local user accounts.

Password Expiration Policy for vSphere Replication and Site Recovery Manager

You manage the password expiration policy on a per-user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 2. Default Password Expiration Policy for vSphere Replication and Site Recovery Manager
Local User	Setting	Default	Description
root	`maxdays`	`99999`	Maximum number of days between password change
	`mindays`	`0`	Minimum number of days between password change
	`warndays`	`7`	Number of days of warning before a password expires

Password Complexity Policy for vSphere Replication and Site Recovery Manager

You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The following tables list the default configuration settings and addtional values which you can configure.

Table 3. Default Password Complexity Policy for vSphere Replication and Site Recovery Manager
Setting	Default	Description
`minlen`	`8`	Minimum password length (number of characters)
`minclass`	`4`	Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on)
`difok`	`4`	Minimum number of characters that must be different from the old password
`maxsequence`	`0`	Maximum number of times a single character can be repeated
`retry`	`3`	Maximum number of retries
`remember`	`5`	Maximum number of passwords the system remembers

Table 4. Additional Password Complexity Policy Settings for vSphere Replication and Site Recovery Manager
Setting	Sample Value	Description
`dcredit`	`-1`	Maximum number of digits that generate a credit
`ucredit`	`-1`	Maximum number of uppercase characters that generate a credit
`lcredit`	`-1`	Maximum number of lowercase characters that generate a credit
`ocredit`	`-1`	Maximum number of other characters that generate a credit

Account Lockout Policy for vSphere Replication and Site Recovery Manager

You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 5. Default Account Lockout Policy for vSphere Replication and Site Recovery Manager
Setting	Default	Description
`deny`	`5`	Maximum number of authentication failures before the account is locked
`unlock_time`	`1800`	Amount of time in seconds that the account remains locked
`root_unlock_time`	`1800`	Amount of time in seconds that the root account remains locked

Table 6. Design Decisions on Password Policies for vSphere Replication and Site Recovery Manager
Decision ID	Design Decision	Design Justification	Design Implication
SPR-VR-SRM-SEC-004	Configure the password expiration policy for the vSphere Replication and the Site Recovery Manager appliances.	You configure the password expiration policy for the vSphere Replication appliance and the Site Recovery Manager appliance to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local users for vSphere Replication and Site Recovery Manager.	You can manage the password expiration policy on the vSphere Replication appliance and the Site Recovery Manager appliance by using the virtual appliance console or a Secure Shell (SSH) client.
SPR-VR-SRM-SEC-005	Configure the password complexity policy for the vSphere Replication and the Site Recovery Manager appliances.	You configure the password complexity policy for the vSphere Replication appliance and the Site Recovery Manager appliance to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local users for vSphere Replication and Site Recovery Manager.	You can manage the password complexity policy on the vSphere Replication appliance and the Site Recovery Manager appliance by using the virtual appliance console or a Secure Shell (SSH) client.
SPR-VR-SRM-SEC-006	Configure the account lockout policy for the vSphere Replication and theSite Recovery Manager appliances.	You configure the account lockout policy for the vSphere Replication appliance and the Site Recovery Manager appliance to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local users for vSphere Replication and Site Recovery Manager.	You can manage the account lockout policy on the vSphere Replication appliance and the Site Recovery Manager appliance by using the virtual appliance console or a Secure Shell (SSH) client.

Site Recovery Manager and vSphere Replication Password Management

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system.

For more information, see the Password Management documentation for VMware Cloud Foundation.

Table 7. Design Decision on Password Management for vSphere Replication and Site Recovery Manager
Decision ID	Design Decision	Design Justification	Design Implication
SPR-VR-SRM-SEC-007	Change the vSphere Replication appliance and Site Recovery Manager appliance root passwords on a recurring or event-initiated schedule by using the virtual appliance console or a Secure Shell (SSH) client.	By default, the passwords for the vSphere Replication and the Site Recovery Manager root accounts never expire.	You must routinely perform the password change for the root accounts by using the virtual appliance console or a Secure Shell (SSH) client.
SPR-VR-SRM-SEC-008	Change the vSphere Replication appliance and Site Recovery Manager appliance admin account passwords on a recurring or event-initiated schedule by using the virtual appliance console or a Secure Shell (SSH) client.	By default, the passwords for the vSphere Replication and the Site Recovery Manager admin accounts never expire.	You must routinely perform the password change for the admin accounts by using the virtual appliance console or a Secure Shell (SSH) client.

Certificate Management Design for Site Protection and Disaster Recovery for VMware Cloud Foundation

To provide secure access and communication for vSphere Replication and Site Recovery Manager, you replace the default self-signed certificate with a CA-signed certificate

Table 8. Design Decisions on Certificates for Site Recovery Manager and vSphere Replication
Decision ID	Design Decision	Design Justification	Design Implication
SPR-SRM-SEC-009	Replace the default self-signed certificate in each Site Recovery Manager instance with a CA-signed certificate.	Ensures that all communication to the externally facing Web UI of Site Recovery Manager and cross-product communication are encrypted.	You must have access to a Public Key Infrastructure (PKI) to acquire certificates.
SPR-VR-SEC-0010	Replace the default self-signed certificate in each vSphere Replication instance with a CA-signed certificate.	Ensures that all communication to the externally facing Web UI for vSphere Replication and cross-product communication are encrypted.	You must have access to a Public Key Infrastructure (PKI) to acquire certificates.