Security is a hot topic everywhere in IT, but right behind it is its cousin, compliance. VMware vSphere is a great platform for organizations that have regulatory compliance needs. Hundreds of time-saving, easy-to-use, and flexible features in vSphere align closely with compliance frameworks, and VMware provides guidance on how to configure these features to meet regulatory requirements. In the last couple of weeks there’s been quite a bit of news in these areas.
NIAP & Common Criteria Certification
The National Information Assurance Partnership (NIAP) is the United States’ government organization that oversees the Common Criteria certification. This type of certification is important because it is a third party checking our work to ensure that what we believe is true about the security of our products is true. It’s also important to all our customers because improvements we may make as part of obtaining this certification will be part of updates for all of our customers, at all licensing levels.
VMware has submitted ESXi 6.7U2 for certification, and it is currently under active evaluation. A popular question among people and organizations that are interested in this is “when will it be done?” The NIAP web site says 90 days to 6 months, so it is reasonable to think that, at this time and with what we know now about things like known vulnerabilities, CPU hardware issues, and the like, the process will be complete in the fall of 2019.
VMware has produced a letter indicating our commitment to completing this process, which customers can use to help handle uncertainties in timing with their own projects. If you are interested in obtaining this letter please contact your account team.
NIST 800-53 & VMware Validated Designs
VMware Validated Designs (VVD) are the reference implementations of the VMware Software-Defined Data Center and reflect the standards and best practices around deploying VMware products. VMware is proud to announce the first fruits of a massive, multi-year effort to document and provide compliance guidance to our customers: the VMware Validated Design 5.0.1 Compliance Kit for NIST 800-53. It is in early access release right now, freely downloadable by all customers, and contains comprehensive guidance (517 auditable controls!) to help customers turn NIST 800-53 guidelines into actionable security settings in their environments.
NIST 800-53v4 is a great starting point for the VVD because its controls overlap with or are reused by many other major compliance frameworks. VMware has guidance on other compliance frameworks and certifications, including international ones, and can help customers implement these in their own environments and the cloud. Reach out to your account team for more information.
DISA STIG 6.5
The United States’ Defense Information Security Agency (DISA) has released their Security Technical Implementation Guide (STIG) for VMware vSphere 6.5. STIGs are produced from a long, formal, and rigorous process that assures the USA Department of Defense (DoD) of a certain level of risk when using a product. With this release VMware retains its status as the only hyperconverged infrastructure included in a STIG. As with the Common Criteria certification it is an honor to have our work on both vSphere and vSAN validated in this way.
Many vendors have hardening guides available for their products, but the only documents that can be called DISA STIGs are found on the DoD’s Cyber Exchange web site, and only for the products listed.
vSphere Security Configuration Guide
Customers who are looking for a starting point for securing vSphere but aren’t interested in the formal compliance frameworks should look at the vSphere Security Configuration Guide (SCG). This guide is available for all supported major versions of vSphere and contains a listing of security controls, a nice description and some relevant thoughts on each, the defaults, and the tools to automate the configuration of each setting, such as with PowerCLI.
We used to call it a hardening guide but we’ve pushed most of the hardening settings directly into vSphere, making it secure by default and making it extremely easy for customers to do the right things. As such, what is left are decisions to be made around advanced configuration settings, as well as configuration that cannot be automatically set (NTP, DNS, AD, etc.). The SCG is nicely organized as a large Excel spreadsheet and, like everything else mentioned, freely available to all customers.
The security and success of our global customer base is very important to us, and we appreciate our customers and the amazing things they build on and with our products. Thank you. If there are any questions about security, compliance, patching, or upgrades please reach out through your account team or directly to us via email or on Twitter.
