This topic provides information about securing your VMware Telco Cloud Automation environment.

Management Access Control

Products must limit access to its management operations by enforcing host authentication and authorization, in addition to user authentication. For example, maintain a list of trusted hosts.

Default Component Configuration

  • All accounts and services contained in VMware products that are not required for operation of the products must be deleted or deactivated, including non-VMware (open source or third party) components of those products.
  • When product features have multiple modes in which they can operate, the most secure mode or modes must be enabled unless it has a significant negative impact on normal product operations. For example, if a product supports management, by default, only HTTPS must be enabled.

Security Documentation

  • If a product provides servicing capabilities, this service access must be deactivated by default.
  • Customers must have the ability to enable or deactivate service access capabilities.
  • Service personnel must not be able to directly or indirectly view, modify, delete, or capture customer data without being granted specific permission to do so by the customer.
  • Customers must be able to verify whether access by service personnel are granted or not.
Note: Product servicing capabilities referenced in this requirement are those that are used by VMware personnel or system integrators for servicing a product. For example, for diagnostic purposes, disaster recovery, and so on.

Encryption

  • Secure Transport Protocols must be one of the following:
    • TLS v1.2
    • SSH v2
    • IPsec
  • Customers must be able to reconfigure transport protocols through configuration settings. Including, enabling protocols for backward compatibility.
  • Customers, while being able to configure other protocols, must be warned against the use of such protocols in security specific product documentation.
  • The default use of transport protocols outside the list of approved protocols is not allowed. Contact VMware support.
Note: For recommendations on how to configure Open SSL, Windows Libraries and so on, see