These security controls provide a baseline set of vSAN best practices. They are structured in a way that explains the benefits and tradeoffs of implementing the control. To make changes to these controls, see the Administering VMware vSAN documentation.
Protect Data at Rest
vSAN must protect data at rest.
vSAN Data-at-Rest encryption helps maintain the confidentiality of sensitive data while it resides on storage devices and reduce the risk of unauthorized access or exposure in the event of physical theft or loss.
You can change this configuration parameter while the cluster is operational. Enabling data-at-rest protections reformats disk groups (for vSAN OSA) and rewrites stored objects (for vSAN ESA), which might take considerable time, but it is done in the background. Workloads do not need to be powered off. vSAN ESA 8.0 Update 2 introduced the ability to enable data-at-rest protections on an existing vSAN ESA datastore. vSAN ESA 8.0 Update 3 introduces the ability to disable it again. Run the latest version of vSAN if using ESA.
- Potential Functional Impact if Default Value Is Changed
- All encryption comes at the cost of CPU cycles and potential storage latency. How much this impacts workloads depends on a variety of factors, such as the configuration of the underlying hardware and the type and frequency of storage I/O by the workload.
Protect Data While Traversing the Network
vSAN must protect data at rest, including storage-related network communications.
vSAN Data-in-Transit encryption helps ensure that sensitive data remains confidential while traversing the network, reducing the risk of unauthorized access or interception.
You can alter this configuration parameter while the cluster is operational.
- Potential Functional Impact if Default Value Is Changed
- All encryption comes at the cost of CPU cycles and potential storage latency. How much this impacts workloads depends on a variety of factors, such as the configuration of the underlying hardware and the type and frequency of storage I/O by the workload.
Restrict Access to NFS File Shares
NFS file shares on vSAN File Services must be configured to restrict access.
When configuring an NFS file share, select the "Customize net access" option and configure a restrictive set of permissions.
Encrypt SMB Authentication
SMB file shares on vSAN File Services must accept only encrypted SMB authentication communications.
When configuring an SMB file share, activate the Protocol Encryption option.
Enable Bidirectional/Mutual CHAP Authentication
vSAN iSCSI target must enable bidirectional/mutual CHAP authentication.
Mutual CHAP provides an additional layer of protection by requiring both the initiator (client) and the target (server) to verify their identities to each other, thereby ensuring data transmitted between the two is not intercepted or altered by unauthorized entities.
Reserve Space to Complete Internal Maintenance Operations
vSAN must reserve space to complete internal maintenance operations.
vSAN Operations Reserve capacity setting helps ensure that vSAN always has sufficient free space to maintain the availability and reliability of the vSAN datastore and prevent potential data loss or service disruptions due to insufficient capacity during operations such as policy changes.
You can change this configuration parameter while the cluster is operational.
