On August 8th, VMware released the first VMware Validated Design Compliance Kit. This is an exciting first step towards security and compliance automation. Building the kit on existing VMware Validated Designs shortens the time to attain compliance, saves money, and reduces risk.
Introduction to Compliance
Predecessors of current technology had security features pretty much from the start. The 1960’s Compatible Time-Sharing System (CTSS) invented passwords to keep user files secure. Security concepts and security architecture have evolved, but many of the early security features are still leveraged as a foundation to build upon. Today the proof of a certain baseline of security often comes in the form of compliance. Compliance is outcome based. It makes sure that a set of security rules are in place.
Compliance Kit Contents Explained
A security driven design combined with easy to follow guidance takes the Software Defined Data Center (SDDC) to the next level. The Compliance Kit uses the Software Defined Data Center (SDDC) VMware Validated Design (VVD) version 5.1. Based on the framework published by the National Institute of Standards and Technology (NIST) publication 800-53 R4, these rules form the baseline for all future kits. Every kit will be regulation specific. Future kits may include PCI DSS 3.2.1, HIPAA, FedRAMP, ISO27001, et cetera. The first kit is now available for VMware Validated Design for Software-Defined Data Center 5.1.
The Kit contains several documents:
- Introduction to Security and Compliance—provides the architecture and design principles.
- Product Applicability Guide (PAG)—describes product by product capabilities available to configure security and address compliance requirements.
- Configuration Guide—outlines step by step enhancements to implement after the VMware Validated Design is deployed. This guide mirrors existing guidance and helps administrators implement the solution.
- Audit Guide—authored by an auditor for auditors. It explains virtualization and auditing techniques to approach an audit of the Software-Defined Data Center.
- Audit Guide Appendix—contains a complete list of all configurations. It maps security configurations to compliance controls.
Each document speaks to a specific audience. System Administrators can reference the Configuration Guide and Audit Guide Appendix. Architects can review the Introduction to Security and Compliance and the Product Applicability Guide (PAG). Security professionals can delve into the Audit Guide Appendix. Auditors can start with the PAG and then continue with the Audit Guide.
The kit empowers organizations to manage auditor expectations. It provides the tools to take control of the compliance conversation. Share the security architecture and controls in advance to minimize misunderstandings. Reduce uncertainty that a security team will arrive with insufficient knowledge to evaluate security configurations. Build transparency and collaborative partnerships across teams by sharing the kit across the organization. Share the kit with system architects, system administrators, and security professionals to vet the design.
The kit can help your organization by significantly reducing the time taken to complete an audit of your Software-Defined Data Center. Our engineering team has mapped 229 security configurations. The hardened environment was validated to ensure it did not harm the VMware Validated Design for Software-Defined Data Center interoperability, performance, or functionality. This makes it easier for customers to focus on achieving a compliance outcome without feeling like they have to start from a blank page.
Using the Kit
After implementing the VMware Validated Design 5.1, apply the Configuration Guide to enhance the Software Defined Data Center. Security configurations are labeled as built-in or enhanced. Built-in configurations come standard with the deployed product or as part of the VMware Validated Design configuration. You can achieve enhanced configurations by following the Configuration Guide.
Every configuration maps to a control. Each audit procedure maps to a configuration and a control.
The following products are included in the Configuration Guide: VMware vSphere, VMware vSAN and NSX for vSphere. Future kits will include additional products that are part of the VMware Validated Design.
For customers that are looking for bespoke solutions, or want to use a subset of the documentation, this is possible too. We designed the PAG and Audit Guide to be flexible. They are product driven with the security capabilities and audit procedures grouped by product. Customers interested in a good starting place can begin with the Introduction to Security and Compliance.
We embarked on this compliance journey using the VMware Validated Design (VVD). Additional kits based on the VVD will be available to other regulations such as PCI. Every kit will be a blueprint for a regulation that takes a harmonized design approach. Each one will map security controls and identify configurations. We hope that a kit built to a specific regulation will facilitate audit conversations towards a compliance ready audit outcome.
The Compliance Kit for NIST 800-53 can be downloaded at no cost and is published for General Availability.
To learn more about Security and Compliance, visit us at VMworld: