VMware Tanzu Application Service Compliance

The VMs that are created in a Tanzu Application Service (TAS for VMs) deployment are created by BOSH on existing IAAS infrastructure, on a designated private subnet. All devices “admitted” to this subnet are determined by the authorized BOSH operator. e.g. there is no provision for an externally managed device to obtain an address on the private subnet via, e.g. DHCP and EAP. In addition, the controlled distribution of IPsec credentials prevents any externally managed VMs from communicating on the Tanzu Application Service private subnet. Admittance of end user client devices to a network that is routable to TAS for VMs is the responsibility of the deployer.

Control Description

The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.

Supplemental Guidance

Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.