A new release of VMware Cloud Foundation (VCF) always comes with improvements and changes in the security capabilities of the platform. Our goals for VCF are threefold:
- Allow you to be secure, faster. Security is an absolute necessity, but it is like an insurance policy: it protects you but doesn’t move your organization forward by itself. We want to minimize the time it takes to be secure, and make security controls flexible to quickly meet whatever challenges you face.
- Be resilient. Resilience is the core feature of the VMware infrastructure stack and has been since 2005 when vMotion was introduced. VCF offers flexible, performant options to protect yourself against big disasters like hurricanes or ransomware, or smaller ones like a failed application update.
- Be inherently trustworthy. One of the huge advantages VCF has is visibility across the entire stack, from server firmware and configuration all the way into the workloads, if desired. When you have data, you don’t need as much trust, and in a world looking towards “zero trust,” this is a good thing.
So what’s new in the stack? Let’s look at changes first. To start, the hypervisor has changed its name to VMware ESX (dropped the ‘i’). This doesn’t seem like a big deal, but we have had an ESX before, and security is a detail-oriented area. Moving forward, we are likely to use ESXi and ESX interchangeably, and to be clear, we aren’t talking about VMware ESX 4.1.
VCF 9.0 streamlines security by removing outdated components like CIM & SLP (replaced with native APIs), Update Manager Baselines, manual SSH configuration edits, Smart Card/RSA SecureID support from ESX, Integrated Windows Authentication from vCenter, and vSphere Trust Authority. These removals strengthen the security posture by eliminating legacy attack surfaces and drive adoption of modern, more secure alternatives like identity federation and automated desired-state configuration management.
Patching and Lifecycle Improvements
The transition to vSphere Lifecycle Manager (vLCM) is complete in VCF 9.0, thanks to a lot of great feedback we received. While Update Manager got the job done, vLCM enforces configuration management, detects configuration drift, can interact with hardware managers to patch system firmware, and much more. In VCF 9.0, we introduce multi-vendor cluster images to help folks with mixed clusters, integrate the vSphere HA and NSX software directly into ESX to simplify dependencies, and allow for the creation of custom Enhanced vMotion Compatibility (EVC) profiles. EVC is a terrific tool to future-proof a cluster but was difficult to enable, and custom profiles solve that problem.
Live Patching capabilities were introduced in vSphere 8.0.3, intending to permit updates to ESX without having to evacuate the host. In VCF 9.0, Live Patch capabilities have been greatly expanded to include more of the system services on ESX. Hosts that employ DPUs or TPMs cannot use Live Patch at the moment because of the extra security provided by the TPM, but stay tuned. We still recommend installing and enabling TPM 2.0 in hosts as a major system integrity protection tool.
You might have heard of this “AI” fad… but what you might not know is that we have been working on supporting it for a decade. And while AI applications are special and unique, at the infrastructure level we’d like it if they were just like any other workload. To that end, there are significant improvements to vMotion and migrating a GPU-enabled workload in VCF 9.0, making it so you can patch your infrastructure without having to schedule downtime. There are also hundreds of smaller improvements to GPU support, helping to drive efficiency, performance, and resilience.
Confidential Computing
We originally introduced our Confidential Computing support five years ago, and we’ve taken significant steps again in VCF 9.0 with support for the newest hardware technologies: AMD SEV-SNP and Intel TDX. These technologies enable hardware-based data-in-use encryption with per-VM encryption keys, as well as workload and host attestation. This protects workloads from neighboring VMs and even the hypervisor itself, addressing multi-tenant security concerns, regulatory requirements for data isolation, and can even help protect against as-yet-undiscovered hardware vulnerabilities.
Identity Management
Identity providers are a source of stress for organizations because they are a major attack vector, too. Our goal in VCF is to allow seamless integration with enterprise identity providers (IdPs) like Symantec VIP, Entra ID, Okta, PingFederate, and others who aren’t on our traditional list through generic support for SAML and OAUTH2/OIDC-connected IdPs. The VMware Identity Broker is built into vCenter, as it has been since vSphere 8, and is also deployable as a single appliance or three-appliance cluster.
Major work has been done on programmatic APIs in VCF 9.0, and this also includes identity management and role-based access control. Permissions, roles, and more are now available through the OpenAPI 3.0-compliant interfaces we support.
Data-in-Transit Encryption and Trust
VCF 9.0 uses TLS 1.3 by default across the whole product, both internally and with incoming client connections. TLS 1.2 is still available as a fallback, but that can be disabled with an easy-to-select TLS Profile (“NIST_2024_TLS_13_ONLY”). We continue the process to revalidate all of our cryptography with the FIPS 140-3 standard and to enable FIPS 140-3 compliance throughout the stack by default.
VCF Operations is a big part of VCF 9.0, continuing the vision of the SDDC Manager for fleet-wide management and operations. This includes centralized password management and centralized certificate management. Certificate management will become very important over the next couple of years as the CA/Browser Forum, the standards body for certificates, has dictated that certificate lifespans will reduce to 47 days. Automation through VCF Operations will be crucial.
Security Operations and Alerting
VCF Operations contains a new security operations dashboard, which allows for continuous monitoring of security controls and compliance postures, but in a flexible way that allows an organization to avoid false alarms. When an alarm does happen, VCF Operations lets you drill down into it, finding out exactly what changed and who changed it so you can quickly decide if it’s just a bad idea someone had or a real breach.
Data-at-Rest Encryption
A new standard key provider option has been added to enable the use of a “wrapping key.” Traditionally, there have been two keys involved in data-at-rest encryption: a data encryption key (DEK), which protects the object’s data itself, and a key encryption key (KEK), which protects the DEK. When used with a KMS, the KEK is generated and stored by the KMS.
There are some caveats to this, though. First, Cloud Foundation never deletes keys from the KMS because we don’t ever know for certain that you don’t need them again. As a result, keys will accumulate in the KMS. Second, the keys are hard to identify in the KMS if you do want to remove them. Third, many organizations want to audit their keys to ensure they’ve been rotated, and that’s hard too.
With VCF 9.0, the wrapping key is a third key that protects the KEK. Only the wrapping key is stored in the KMS, not thousands. The wrapping key can be configured to automatically be rotated on an interval you choose and can be given an identifier that makes it easy to find.
Memory Tiering
Memory Tiering is possibly the best part of VCF 9.0. It uses NVMe flash storage as a slower tier of system memory and will page out inactive, allocated blocks of memory to free up the faster system DRAM. This drives up system utilization by 2x, with only a small loss in performance. From a security perspective, higher utilization means fewer things to secure and audit, and more capacity for system resilience. Because NVMe storage is hard or impossible to sanitize at the end of its lifespan, memory tiering also supports at-rest encryption for what it stores, with in-memory keys that do not persist and do not need to be managed.
Other Improvements
Every release has hundreds of other improvements that never make these lists but quietly improve security and efficiency for both workloads and humans. Some other notable improvements are:
- Support for custom VM Secure Boot certificates
- Introduction of the User-Level Virtual Machine Monitor
- Integrated support for virtual private clouds (VPCs) in vCenter & ESX
- Mandatory access control for ESX services (“sandboxing”)
- Forensic snapshot capabilities
- Undismissable alerts when execInstalledOnly is disabled
- vTPM 2.0 updated to TPM Specification Revision 1.59
- Hardened USB subsystems for virtual machines
- NFS krb5p & krb5i mount option support
- NVM-oF authentication support
- Configurable vSAN network traffic separation
- Global availability of SHA-256 hashes (SHA-1 is still present for backwards compatibility, but anywhere you see SHA-1, you will see a SHA-256 hash too)
- vCenter Managed Object Browser is disabled by default
VCF 9.0 is both the best version of the VMware virtualization stack and a new take on integrated security and compliance operations through VCF Operations, on top of what VMware NSX, VMware vSAN, VMware vDefend, VMware Live Recovery, and VCF Automation bring to the table for security and resilience.
For more information, please reach out to your account team. We also maintain security hardening, compliance, and feature-specific Q&A in our GitHub repository: https://brcm.tech/vcf-security
