Information Security and Access Control in VMware Skyline

Protect Skyline Collector deployments by configuring secure communication and authentication with the other components in the SDDC. Use dedicated service accounts for communication between the Skyline Collector instance and the vCenter Server, NSX Data Center, and vRealize Operations Manager endpoints in the management cluster and shared edge and compute cluster.

Encryption

Access to Skyline Collector user interfaces requires an SSL connection. By default, the Skyline Collector appliance uses self-signed certificates for the application interface and the virtual appliance management interface (VAMI). To provide secure access to the Skyline Collector appliance and between the Skyline Collector instance and SDDC endpoints, replace the default self-signed certificates with a CA-signed certificate.

Table 1. Design Decisions on Skyline Collector Encryption
ID	Design Decision	Design Justification	Design Implication
SKY-SDDC-010	Replace the default self-signed certificates on the Skyline Collector virtual appliance with a CA-signed certificate.	Ensures that the communication to the user interface of the Skyline Collector instances and between the SDDC endpoints is encrypted.	Replacing the default certificates with a CA-signed certificate from a trusted certificate authority increases the deployment preparation time as certificate requests are generated and delivered.

Authentication and Authorization

Users can authenticate to a Skyline Collector instance in the following ways:

Local administrator Account

Skyline Collector performs local authentication for the default administrator account only. The admin account is the primary user account. You use this account to log in to the Skyline Collector administrative interface, register the application, and manage collection endpoints.
Active Directory

You can also enable authentication by using Active Directory for named user access. Active Directory users and groups can both be provided access to the Skyline Collector UI to perform administrative tasks, such as, monitoring system status and endpoint management. However, only the local default administrator account can perform Active Directory configuration tasks.

Configure service accounts for communication between the Skyline Collector instances and the SDDC endpoint instances. You define service accounts with only the minimum set of permissions to perform the collection of diagnostic data from the management cluster and shared edge and compute cluster.

Table 2. Design Decisions on Authentication and Authorization to Skyline Collector
ID	Design Decision	Design Justification	Design Implication
SKY-SDDC-011	Use local authentication for the Skyline Collector appliances.	Although Skyline Collector supports the use of Active Directory as an authentication source and access control, you must use anonymous LDAP operations to use the Active Directory integrate, which is non-default.	The accountability in tracking administrative interactions between the Skyline Collector and SDDC endpoints is limited. You must control the access to the administrator account for Skyline Collector.
SKY-SDDC-012	Define a custom vCenter Server role for Skyline Collector that has the minimum privileges required to support the collection of data from the vSphere endpoints across the SDDC.	Skyline Collector instances access vSphere with the minimum set of permissions that are required to support the collection of diagnostic data from the management cluster and shared edge and compute clusters.	You must maintain the permissions required by the custom role.
SKY-SDDC-013	Configure a service account in vCenter Server for application-to-application communication from Skyline Collector to vSphere.	Provides the following access control features: Skyline Collector instances access vSphere endpoints with the minimum set of required permissions. If there is a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the lifecycle and availability of the service account outside of the SDDC stack.
SKY-SDDC-014	Assign global permissions to the Skyline Collector service account in vCenter Server by using the custom role.	Skyline Collector instances access vSphere with the minimum set of permissions. Simplifies and standardizes the deployment of the service account across all vCenter Servers in the same vSphere domain. Provides a consistent authorization layer.	All vCenter Server instances must be in the same vSphere domain.
SKY-SDDC-015	Assign permissions for the Skyline Collector service account in the NSX Manager for the management cluster and shared edge and compute cluster for each region by using the default Auditor role.	Provides the following access control features: Skyline Collector instances access NSX endpoints with the minimum set of required permissions. If there is a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the lifecycle and availability of the service account outside of the SDDC stack.
SKY-SDDC-016	Assign permissions for the Skyline Collector service account in vRealize Operations Manager by using the default read-only role.	Provides the following access control features: Skyline Collector instances access vRealize Operations Manager endpoints with the minimum set of required permissions. If there is a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the lifecycle and availability of the service account outside of the SDDC stack.