VMware Tanzu Application Service Compliance

When the Tanzu Application Service (TAS for VMs) platform is deployed in accordance with the reference architecture guidance the platform is compliant. System functions, ports, protocols, and services are exposed only as needed and appropriate for the platform operation. In particular, the reference architecture requires that the CF Router provide the entry point to the deployment for users and operators. The other VMs that make up the Tanzu Application Service runtime environment are not routable from the enterprise network. There are no unnecessary functions, ports, protocols, or services exposed that are not strictly required. Deployers have the option of turning off access through SSH. Deployers have the option of requiring TLS for access to public endpoints. The BOSH stemcell is hardend to remove unneeded functions, ports, protocols and services. The TAS for VMs configuration options include a number of feature flags that may be enabled at the deployer’s discretion. It is a deployer responsibility to configure these options if and as needed.

Control Description

The organization:

1. Configures the information system to provide only essential capabilities; and
2. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].

Supplemental Guidance

Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.