VMware Tanzu Application Service Compliance

Tanzu Application Service (TAS for VMs) is compatible with the use of IaaS-provided data-at-rest disk encryption when this capability is available. It is an operator responsibility to appropriately configure the deployment.

Integration of TAS for VMs and Tanzu Operations Manager with a native IaaS-provided key management service may vary by IaaS.

Operators can specify a custom AWS Key Management Service (KMS) encryption key to encrypt all the Elastic Block Store (EBS) volumes in AWS for BOSH VMs and the Tanzu Operations Manager VM.

For more information about TAS for VMs integration with IaaS disk encryption capabilities see:

• AWS configuration in Tanzu Operations Manager
• Security infrastructure
• File storage and encryption

In addition, TAS for VMs also encrypts sensitive information in the Cloud Controller database explicitly. Key material for this protection is auto-generated uniquely for each deployment.

Control Description

The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].

Supplemental Guidance

This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.