When it comes to your data center, security should be a constant conversation. vSAN & vSphere offer tools, insight and packages to increase your data center protection. This month’s chat focused on the benefits of built-in security, highlighting tips and tricks so you can get the most out our your data center. Tweet Chat veterans, Jase McCarty and Bob Plankers joined in, offering insight & advice for joint security features. Some of the main takeaways were: data at rest is a key security best practice; vRealize Log Insight has deep insight with OOTB dashboards; and it's a good idea to limit who can decrypt VMs! Read the full chat recap below!
"Keep things simple, as much as possible." Advice for life in IT, thanks @plankers!” #vSANChat #vSphereChat
Q1: Can you briefly describe the security benefits that are offered with vSAN + vSphere?
A1: Security Benefits of #vSAN - How about D@RE? vSAN offers FIPS 140-2 Validated D@RE with 6.7/6.7U1 to protect data in the cache & capacity tiers.
A1 (2nd): vSAN is part of vSphere. The only Virtualization Software Platform that has DISA published Security Technical Guides. While not updated for vSphere 6.7, the 6.5 STIG is just around the corner. https://iase.disa.mil/stigs/Pages/index.aspx
Q2: How can vRealize Log Insight assist with security auditing and compliance testing?
A2: Log Insight is great! My favorite thing about it, beyond the great content packs and the ability to find things with the wonderful search functions, is that it'll automatically configure your vSphere environment to log to it.
A2: vRLI has deep insight with OOTB dashboards showing access/changes/etc that help administrators/auditors properly seen & report that their HCI environment is secure & running properly.
Q3: Complexity increases the possibility of misconfiguration. What can admins do to prevent the possibility of misconfiguration?
A3: Use Host Profiles in vSphere to manage your host configurations. Or better yet, configure things with PowerCLI! Automation makes tasks repeatable, documented, and standardized, which are good things. Check out https://code.vmware.com/home
A3(2nd): If you automate all the things (deployment/management/reporting) with @PowerCLI, you can easily & consistently repeat configurations. #vSANChat #vSphereChat - Check out the Cookbook for vSAN: https://storagehub.vmware.com/section-assets/powercli-cookbook-for-vsan …
Q4: Can you explain how vSphere VM Encryption and vSAN Encryption can work together?
A4: vSAN/VM Encryption can work together, but we typically recommend 1 or the other. Have seen a few requests for using both simultaneously… We do report in the vSAN Health Check when you’re doing both. More comparisons/etc can be found here: http://vmware.com/go/encryptionfaq …
A4: Data at rest is a key security best practice nowadays. People are picking up used drives off eBay and out of trash cans and recovering data, and you don't want them to be able to do that to you. Using VM Encryption or vSAN Encryption is an absolute must.
VM Encryption also enables other features, like some advanced permissions in vCenter and the ability to add virtual TPMs to VMs.
Q5: What is the impact to vSAN Encryption if vCenter Server is offline? How can we make vCenter Server more resilient?
A5: The #1 way to keep your environment secure is to stay updated with current security patches. (#2 is good account and password hygiene). vSphere is intentionally architected to be resilient to these sorts of things!
A5: vCenter offline & vSAN Encryption? OH NO! Psyche! Not a problem, as vSAN Encryption talks directly to the KMS to retrieve the KEK & unlock disks. Want to know more? Here’s the 411: https://blogs.vmware.com/virtualblocks/20
Q6: Is it possible to secure encryption related tasks to a limited number of administrators?
A6: Introduced in vCenter 6.5, the “Non Cryptography Administrator” role will let Administrators do “most” tasks, but not meow the ability to perform cryptographic operations.
A6: Heck yes! If you enable VM Encryption on a vCenter instance you get extra cryptographic permissions. It's a good idea to limit who can decrypt VMs and change KMS configurations. Create a new role (copy the "no crypto admin" default role) and assign it to most everybody. Leave the decrypt to a small group, or an account that is secured and audited.
It Takes Twohttps://t.co/7CZwn8KBMn
— Jason Massae (@jbmassae) March 28, 2019
A7: Hmm: “Everything’s Gonna Be Alright” by A7: Hmm: “Everything’s Gonna Be Alright” by @kennychesney & @davidleemurphy
Q8: Now’s the time for any additional questions! Ask away!
I’m guessing the question is can you use #vSAN with other storage, like #VVols or Traditional storage? You can absolutely use vSAN along with VVols & Traditional storage on the same cluster. https://blogs.vmware.com/virtualblocks/2018/07/27/vsan-and-other-storage/ …
Hey Chatty Kathys, if you loved this last chat, there are more to come! Tell us what you want to discuss and we’ll gather the experts. These chats give you a chance to speak with the vSAN and wider VMware team in REAL-time. Don’t miss your chance to connect with the growing community of vSAN fans and experts!