The components of a vSphere environment are secured out of the box by a number of features such as certificates, authorization, a firewall on each ESXi, limited access, and so on. You can modify the default setup in many ways - for example, you can set permissions on vCenter objects, open firewall ports, or change the default certificates. This results in maximum flexibility in securing vCenter Server systems, ESXi hosts, and virtual machines.
A high level overview of different areas of vSphere that require attention helps you plan your security strategy. You also benefit from additional vSphere Security resources on the VMware website.