Conducting a security assessment is the first step in understanding any vulnerabilities in your infrastructure. A security assessment is part of a security audit, which looks at both systems and practices, including security compliance.
A security assessment generally refers to scanning your organization's physical infrastructure (firewalls, networks, hardware, and so on) to identify vulnerabilities and flaws. A security assessment is not the same as a security audit. A security audit includes not only a review of physical infrastructure but other areas such as policy and standard operating procedures, including security compliance. After you have the audit, you can decide on the steps to remedy the problems within the system.
You might ask these general questions when preparing to conduct a security audit:
- Is our organization mandated to adhere to a compliance regulation? If so which one(s)?
- What is our audit interval?
- What is our internal self-assessment interval?
- Do we have access to previous audit results and have we viewed them?
- Do we use a third-party audit firm to help us prepare for an audit? If so, what is their level of comfort with virtualization?
- Do we run vulnerability scans against the systems and applications? When and how often?
- What are our internal cybersecurity policies?
- Is your audit logging configured according to your needs? See Audit Logging.
In the absence of specific guidance or direction on where to begin, you can jumpstart securing your vSphere environment by:
- Keeping your environment up-to-date with the latest software and firmware patches
- Maintaining good password management and hygiene for all accounts
- Reviewing vendor-approved security recommendations
- Referring to the VMware Security Configuration Guides (see Understanding the vSphere Security Configuration Guide)
- Using readily available and proven guidance from policy frameworks such as NIST, ISO, and so forth
- Following guidance from regulatory compliance frameworks such as PCI, DISA, and FedRAMP