The VMware Security Hardening Guides contain recommended processes for deploying and operating VMware products in a secure manner given a specified risk profile. You may not need, or may not be able, to follow each step in the security Hardening Guides because of the balance of operational efficiency, cost, risk tolerance and security requirements. The security hardening practices are recommended by VMware, but equally important is having a security controls document that incorporates VMware best practice recommendations combined with your specific security policies. It can be an invaluable tool during an audit.
Security has a wide scope that touches every aspect of the datacenter; an important part of security is recognizing the tolerance of risk. To do that, you need to understand the value of the assets you are trying to protect and the cost of protecting that asset. What is the likelihood of the asset being damaged or compromised? And what does it cost the company if that asset is compromised? A risk analysis provides a cost/benefit understanding of the cost to safeguard an item compared with the expected cost of loss. The security policy should be proportionate to the value of the asset, which may range from innocuous data processing up through mission-critical business process dealing with highly sensitive information. Each of these examples represents a different risk profile, which translates to different security requirements and thus different recommendations in the Hardening Guides.
Securing systems are not a low-cost endeavor. Even in terms of operations expenses, locking down systems can make internal operations teams less efficient when updating systems because of strict security controls. In many cases, a security policy will not be implemented unless the cost of the loss exceeds the security policy itself. In the end, you are the one who is best suited to make the decisions on the security posture of your IT assets.
You can learn all the details and begin planning your security controls document by reading the Security Controls Guide.
Jason Gaudreau is a Senior Technical Account Manager, VMware Professional Services. To read more from Jason, be sure to visit his blog here.