On August 8th, VMware released the first VMware Validated Design Compliance Kit. This is an exciting first step towards security and compliance automation. Building the kit on existing VMware Validated Designs shortens the time to attain compliance, saves money, and reduces risk.
Introduction to Compliance
Predecessors of current technology had security features pretty much from the start. The 1960’s Compatible Time-Sharing System (CTSS) invented passwords to keep user files secure. Security concepts and security architecture have evolved, but many of the early security features are still leveraged as a foundation to build upon. Today the proof of a certain baseline of security often comes in the form of compliance. Compliance is outcome based. It makes sure that a set of security rules are in place.
Compliance Kit Contents Explained
A security driven design combined with easy to follow guidance takes the Software Defined Data Center (SDDC) to the next level. The Compliance Kit uses the Software Defined Data Center (SDDC) VMware Validated Design (VVD) version 5.1. Based on the framework published by the National Institute of Standards and Technology (NIST) publication 800-53 R4, these rules form the baseline for all future kits. Every kit will be regulation specific. Future kits may include PCI DSS 3.2.1, HIPAA, FedRAMP, ISO27001, et cetera. The first kit is now available for VMware Validated Design for Software-Defined Data Center 5.1.
The Kit contains several documents:
- Introduction to Security and Compliance—provides the architecture and design principles.
- Product Applicability Guide (PAG)—describes product by product capabilities available to configure security and address compliance requirements.
- Configuration Guide—outlines step by step enhancements to implement after the VMware Validated Design is deployed. This guide mirrors existing guidance and helps administrators implement the solution.
- Audit Guide—authored by an auditor for auditors. It explains virtualization and auditing techniques to approach an audit of the Software-Defined Data Center.
- Audit Guide Appendix—contains a complete list of all configurations. It maps security configurations to compliance controls.
Each document speaks to a specific audience. System Administrators can reference the Configuration Guide and Audit Guide Appendix. Architects can review the Introduction to Security and Compliance and the Product Applicability Guide (PAG). Security professionals can delve into the Audit Guide Appendix. Auditors can start with the PAG and then continue with the Audit Guide.
Benefits
The kit empowers organizations to manage auditor expectations. It provides the tools to take control of the compliance conversation. Share the security architecture and controls in advance to minimize misunderstandings. Reduce uncertainty that a security team will arrive with insufficient knowledge to evaluate security configurations. Build transparency and collaborative partnerships across teams by sharing the kit across the organization. Share the kit with system architects, system administrators, and security professionals to vet the design.
The kit can help your organization by significantly reducing the time taken to complete an audit of your Software-Defined Data Center. Our engineering team has mapped 229 security configurations. The hardened environment was validated to ensure it did not harm the VMware Validated Design for Software-Defined Data Center interoperability, performance, or functionality. This makes it easier for customers to focus on achieving a compliance outcome without feeling like they have to start from a blank page.
Using the Kit
After implementing the VMware Validated Design 5.1, apply the Configuration Guide to enhance the Software Defined Data Center. Security configurations are labeled as built-in or enhanced. Built-in configurations come standard with the deployed product or as part of the VMware Validated Design configuration. You can achieve enhanced configurations by following the Configuration Guide.
Every configuration maps to a control. Each audit procedure maps to a configuration and a control.
The following products are included in the Configuration Guide: VMware vSphere, VMware vSAN and NSX for vSphere. Future kits will include additional products that are part of the VMware Validated Design.
For customers that are looking for bespoke solutions, or want to use a subset of the documentation, this is possible too. We designed the PAG and Audit Guide to be flexible. They are product driven with the security capabilities and audit procedures grouped by product. Customers interested in a good starting place can begin with the Introduction to Security and Compliance.
Roadmap
We embarked on this compliance journey using the VMware Validated Design (VVD). Additional kits based on the VVD will be available to other regulations such as PCI. Every kit will be a blueprint for a regulation that takes a harmonized design approach. Each one will map security controls and identify configurations. We hope that a kit built to a specific regulation will facilitate audit conversations towards a compliance ready audit outcome.
Download
The Compliance Kit for NIST 800-53 can be downloaded at no cost and is published for General Availability.
To learn more about Security and Compliance, visit us at VMworld:
Nice work, very comprehensive, thanks! But I do have a question:
The configuration guide lists out the advanced parameters for “:management VMs” but that really doesn’t make sense at all. The parameters listed are specific to a virtual machine and found in the VM advanced settings, not configurations within vCenter. The users who will actually be handling the sensitive data aren’t VM admins, they are government \ researchers. The VMs that require these controls are the VMs hosting the data, not VMware mgmt VMs. So should I interpret the use of the term “Management VMs” to be the VMs that will actually be hosting the sensitive data and need the controls and not the vCenter instance? And even if someone was granted access to vCenter they would only be granted limited rights to the VM itself and would not be able to make any changes or even see other objects in vCenter. What does a copy and paste configuration in the vCenter VM have anything to do with the VM hosting the data for which compliance is needed?
Hi Ken–thank you for the kind words. This guidance relates to the VMs is that are part of the Management Domain. These could be applied to workload domain VMs, but you should test it first. Be sure that these configurations won’t affect your workload domain VMs before applying them. The term “Management VMs” is distinct from ESXi Hosts as it relates to hosting the data. I agree that those VMs used by end users to store data are important and they too should be protected. We elected to focus on the Infrastructure and hardening that aspect to then provide a foundation for the SDDC. Customers can then evaluate their workloads and security needs. The end user VM will have the Operating System, as well as the settings that a vCenter Administrator can access to secure the VM. These two aspects for workload domains are not part of the kit but the fundamentals used to secure Management VMs may be relevant to the securing a workload VM (just be sure to test it to ensure no issues arise). Hope that helps. If not, please let us know.