Security in the VMware Validated Design is evaluated with a clear objective to balance best practices with usability and performance.
For VMware Validated Design for Software-Defined Data Center implementations, security must be handed over to a dedicated team (post-deployment) to augment and monitor the security posture. Attack vectors and compliance guidelines are constantly evolving so the information provided can be used to establish a baseline, not an absolute, or complete picture.
NIST 800-53 (Revision 4) forms the security baseline, backdrop, and security foundation used to evaluate the VMware Validated Design. It was selected because of its vast array of controls and because it is often used by other regulations as part of their reference framework.
NIST is a risk-based framework, which requires each organization to assess their own risk posture and identify applicable controls. The VMware Validated Design does not remove this step. The VMware Validated Design security design and compliance mappings are presented to inform the reader of both design decisions, and security controls that can be leveraged.
It is important that the VMware Validated Design security design is not enough on its own. Each organization has a series of supporting security architecture, technology, processes, and people to evaluate.
Super users of the system inherit various technologies and typically work with security specialists to implement controls effectively. The VMware Validated Design has evaluated many design decisions that are incorporated with the overall design. Subsequent deployments benefit from post-implementation security health checks to enhance the organizations security posture as it relates to the VMware Validated Design.
Compliance Regulations and Standards
Organizations expect to keep data safe. They must often comply with one or more regulations from government standards to private standards such as:
National Institute of Standards and Technology (NIST)
Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG)
Federal Risk and Authorization Management Program (FedRAMP)
Health Insurance Portability and Accountability Act (HIPAA)
North American Electric Reliability Corporation - Critical Infrastructure Protection Committee (NERC CIP)
Payment Card Industry (PCI)
American Institute of Certified Public Accountants - Statement of Compliance (AICPA, SOC 1, or SOC 2)
International Organization for Standardization number 27001 (ISO27001)
Security Versus Compliance
The VMware Validated Design approaches security and compliance concepts in a practical manner. Security supported by the VMware Validated Design reduces the risk of data theft, cyberattack, or unauthorized access. While compliance is the proof that a security control is in place, typically within a defined timeline. Security and compliance work with a broader set of considerations including people, processes, and technology. Security is primarily outlined in the design decisions and highlighted within the technology configurations. Compliance is focused on mapping the correlation between security controls and specific requirements. A compliance mapping provides a centralized view to list out many of the required security controls. Those controls are further detailed by including each security control's respective compliance citations as dictated by a domain such as NIST, PCI, FedRAMP, HIPAA, and so forth.
Infrastructure Provider Role and Multi-Tenant Consumer
The VMware Validated Design is deployed using multiple components, for more details see the VMware Validated Design Architecture and Design document. In instances of tenancy, either a single tenant or one of multi-tenancy, consumers must be restricted to their respective tenant environments. Access to certain components, or products, might provide visibility into the wider VMware Validated Design functions. These wider VMware Validated Design functions form the backdrop that the infrastructure service provider manages. Access must be assigned only to the levels desired and clearly articulated in group nomenclature to avoid adding consumers into group membership that can extend outside of their approved tenant environment. Components that might be considered for a restriction in layers include:
Typically, access to the virtual infrastructure layer must be further restricted to the tenant environments that the consumer must have access to.
For this guide, the scope is restricted to securing the infrastructure provider, or service provider. Security at the tenant level is not the focus.
NIST as a Security Baseline
The National Institute of Standards and Technology (NIST) works to promote innovation across all industries. In the realm of information security, cybersecurity, and technology, it has created a risk-based framework that provides a catalog of security controls for organizations to secure their systems. This catalog was used as a general guideline to evaluateVMware Validated Design for Software-Defined Data Center. In addition, many regulations cite NIST and build on its baseline. So, the NIST security baseline was deemed as a key building block to design VMware Validated Design security and provide compliance mapping to other regulations/standards.