VMware Tanzu Application Service Compliance

Physical access restrictions are the responsibility of the deployer. Tanzu Application Service provides logical access controls for operators using BOSH and VMware Tanzu Operations Manager performing change management functions on the platform. For example, authentication to BOSH and Tanzu Operations Manager may be controlled using integration of UAA and the existing enterprise- or agency-deployed Identity Management system. BOSH and Tanzu Operations Manager must be deployed on a restricted management subnet, and access controlled through a bastion host (Jumpbox) as described in the reference architecture. Tanzu Operations Manager users with Full View and Restricted View permissions can be logged in simultaneously. For security purposes, operators with write access cannot be logged into Tanzu Operations Manager simultaneously. Additional procedural controls to ensure only one Tanzu Operations Manager user with write access at any one time is a deployer responsibility.

Logical access controls to protect change management of deployed applications are provided by the RBAC capabilities of the Cloud Controller. Refer to the associated documentation pages for more information about Cloud Controller RBAC.

Control Description

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Supplemental Guidance

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).