VMware Tanzu Application Service Compliance

When deployed in accordance with the recommended reference architecture the Tanzu Application Service (TAS for VMs) platform is compliant with this requirement. The entry point to access any services in the TAS for VMs platform are the Cloud Controller (for developers) and the BOSH director and/or Tanzu Operations Manager (for operators). Both of these end points require authentication at UAA before any further action may be taken. The UAA may be configured to delegate the initial user authentication requirement to an enterprise IdM, including LDAP and/or SAML authentication. When multi-factor authentication is required, a deployer may configure the IdM system to require multi-factor authentication prior to the issuance of a SAML assertion, which would then be presented at the UAA. Support for PIV or CAC authentication is delegated to the enterprise IdM.

Developers and operators are only required to authenticate once to access their respective service end points. Note, however, that any single individual that needs to perform both developer and operator functions would be required to establish a new session for each of these distinct roles. This behavior enables appropriate Separation of Duties for deployments that require this.

Support for Single Sign-On functionality across multiple deployed applications is available as a service for any applications that chose to use it.

Control Description

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Supplemental Guidance

Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.