VMware Validated Design security approach uses three categories to classify security controls.

The following classification identifies security controls, especially within the compliance mapping. This classification also provides a label to underscore each security control's applicability: partial applicability, or no applicability. Security controls were evaluated against each of the following categories to evaluate its scope and relevance to the VMware Validated Design.

Core technology

Security controls with matching VMware Validated Design capabilities that can be configured with minimal to no dependency on any technology outside of the SDDC. For example, the use of certificates to improve trust within systems falls into this category.

People or process administrative

Security controls that depend on other technology, depend on a wider process, and can be configured in the SDDC. This security control configuration might only be a step within a wider process. For example, assigning users into groups must be part of a wider Access Control process that might depend on other technology such as Active Directory.

Compliance mapping

Customers face varying degrees of compliance domains. For example, PCI for the credit card industry, HIPAA for healthcare, FedRAMP for government regulation in the cloud. We use NIST 800-53 as a mapping baseline to evaluate the population of eligible security controls. The compliance mapping serves to translate the foundation of VMware Validated Design capabilities to the compliance flavor per each enhance guide.