Hardening of VMware Data Services Manager 9.0

Introduction

As organizations adopt VMware Data Services Manager version 9.0 (DSM) to streamline and secure their database operations, maintaining a hardened and compliant environment becomes a top priority. This security blog provides practical examples of how to protect and operate DSM in alignment with VMware best practices. 

While the guidance is not a formal compliance checklist, it illustrates methods and configurations that can enhance the security posture of your DSM deployment. Importantly, DSM is designed with security in mind and is STIG-compliant by default, offering a strong foundation for meeting stringent government and enterprise security standards. Whether you’re preparing for an audit or simply looking to improve operational security, this document offers actionable insights to help you safeguard your DSM environment.

STIG Hardening for Photon OS 5.0

In today’s increasingly complex security landscape, hardening your systems isn’t just a best practice, it’s a necessity. If you’re using Data Services Manager, you’re running it on VMware Photon OS 5.0, the only supported operating system for this release. Photon OS is a minimal Linux distribution, it’s designed with compliance and performance in mind. Ensuring the operating system and application stack are properly hardened to meet STIG standards is critical. But what does STIG hardening actually involve in this context? Let’s break it down.

What is STIG and why does it matter?

STIG stands for Security Technical Implementation Guide, developed by the Defense Information Systems Agency (DISA). These are rigorous security configuration standards used across U.S. Department of Defense (DoD) systems. The goal? Minimize vulnerabilities and lock down every corner of your OS.

STIG hardening is the process of aligning your system (in this case, Photon OS) with those standards. Think of it as putting your operating system on a strict security diet, cutting out anything unnecessary or risky.

If you’re working in a federal or highly regulated environment, STIG compliance isn’t optional. It’s often required for system accreditation. Even outside government, Financial Services & other customers following STIG guidelines, it can significantly improve your security posture by enforcing proven best practices.

Key Areas of STIG Hardening in Photon OS

Here’s a high-level look at what goes into hardening Photon OS to meet STIG standards:

1. Authentication & Access Controls

• Enforce complex passwords and expiration policies
• Limit login attempts and lock accounts after numerous failures
• Disable SSH root login
• Require multi-factor authentication (where possible)

2. File Permissions & Ownership

• Ensure sensitive files like /etc/shadow are properly locked down
• Scan for world-writable files and correct them
• Verify correct ownership of system binaries and scripts

3. Logging & Auditing

• Enable and configure auditd for full system auditing
• Log every administrative action
• Secure log files from tampering or unauthorized deletion

4. Network & Service Hardening

• Disable unnecessary services (e.g., Telnet, FTP)
• Harden SSH: limit users, disable unused features, enforce strong encryption
• Configure firewall rules to allow only what’s needed

5. System Integrity & Updates

• Ensure software is verified via cryptographic signatures
• Regularly apply patches
• Monitor kernel modules and secure the boot process if supported

Network Security with Data Services Manager

Data Services Manager is built with security in mind, starting from its foundation on Photon OS 5.0, which we’ve already covered. But what about the network layer?

Every inbound and outbound connection to and from DSM is encrypted using TLS 1.2 or higher, ensuring secure communication between system components, clients, and databases. These connections rely on certificate-based authentication, which might sound complex at first. However, DSM simplifies this difficult task through its built-in certificate management system, that helps with the process of certificate management and lifecycle of the various certificates. This means you can maintain a strong security posture across your network communications, without the typical manual effort involved in certificate setup.

Advanced Network Security with Distributed Firewall

Some environments, especially in highly regulated or enterprise-grade data centers, require advanced network security controls and strict micro-segmentation. Data Services Manager (DSM) is well-suited for these scenarios.

For customers using solutions like VMware NSX Distributed Firewall (DFW) or other fine-grained network security tools, DSM offers a clearly documented network flow. The documentation outlines all required communication paths between DSM components, management interfaces, and underlying databases. As a result, network rules can be pre-defined with precision before DSM is even installed, streamlining both planning and deployment. This allows administrators to control which clients are allowed to access a specific database and adds another layer of access control.

This proactive approach not only supports zero-trust architectures, but also ensures that DSM can be safely deployed into pre-segmented networks without requiring last-minute adjustments or workarounds. Whether you’re operating in a federal environment, a service provider data center, or a security-first enterprise DSM aligns with modern network security best practices, and is ready for integration with your firewall and segmentation strategies from day one.

Data Services Security

When using DSM to deploy and manage PostgreSQL or MySQL clusters in a high-availability configuration, replication security is built in by default, no manual SSL setup required. Out of the box, DSM ensures that all replication traffic between primary and replica nodes is encrypted using SSL/TLS. Whether you’re running PostgreSQL or MySQL within DSM, you can deploy HA clusters with confidence, knowing that your replication layer is already encrypted and secured according to best practices. 

DSM is also now fully FIPS-compliant,and adheres to the U.S. Federal Information Processing Standards for cryptographic operations. The FIPS compliance provides the validation for deployment and use of DSM in federal, defense and other regulated environments that mandate certified cryptographic. 

If your security model requires field-level encryption or client-side data privacy, you can take it a step further by installing the pgcrypto extension in PostgreSQL. This enables application-level encryption for sensitive data, providing another layer of protection beyond transport and at-rest encryption.

Conclusion

Security is not an afterthought, it’s a fundamental requirement for any modern DBaaS approach. With Data Services Manager 9.0 running on Photon OS 5.0, you’re already starting from a hardened, STIG-compliant foundation. From TLS-encrypted communications and built-in certificate management to support for advanced network security, micro-segmentation, and data service-level security, DSM is designed to meet the demands of today’s most security-conscious environments.

By combining a secure-by-default architecture with layered network and data protection, DSM enables you to confidently run critical data services, without compromising on security.