VMware Tanzu Application Service Compliance

Tanzu Application Service runs applications inside linux containers.

These linux containers are designed to provide isolation between application processes, including filesystem, network, memory, and CPU.

In particular, the container filesystem is created using an overlay FS, ensuring that disk writes from one application cannot be seen by another concurrent or future application executing on the same host.

In addition, the containers are run on BOSH managed VMs which are themselves relatively short-lived. These VMs are created with both ephemeral and persistent disks, and all transient application data is stored on ephemeral disks, which are not preserved when a VM is recreated.

More information on how BOSH manages disk storage may be found in the BOSH documentation.

Control Description

The information system prevents unauthorized and unintended information transfer via shared system resources.

Supplemental Guidance

This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles.