2. Agenda
• Skills and Abilities
• 2.7.1 Evaluate which security services can be used with a given vSphere solution.
• 2.7.2 Differentiate infrastructure qualities related to security.
• 2.7.3 Build specific regulatory compliance requirements into the logical design.
• 2.7.4 Analyze application and infrastructure security requirements.
• 2.7.5 Build a role-based access model and map roles to services.
• 2.7.6 Build a security policy based on existing security requirements and IT
governance practices.
• 2.7.7Incorporate customer risk tolerance into the security policy.
• 2.7.8 Assess the services that will be impacted and create an access management
plan.
• 2.7.9 Determine the proper security solution that would satisfy a regulatory
requirement.
• 2.7.10 Based on stated security requirements, analyze the current state for
compliance/non-compliance.
3. Evaluate which security services can be used
with a given vSphere solution.
• vSphere Solution
• Infrastructure Management Components: vCenter, VUM, Log Insight etc.
• Resource Components: ESXi (Compute), Storage and Networking.
• Application/Service Components: VMs, Application
vCenter–VUM–Log
Insight-SSO
Compute
NetworkingStorage
VM & Applications
2.7.1
4. Evaluate which security services can be used
with a given vSphere solution.
• Security Services?
• Services as in how security can be implemented in each of the vSphere
solution?
• Services as in VMware tools integrated with core vSphere?
• Services as in 3rd party services for integration with vSphere solutions?
vCenter–VUM–Log
Insight-SSO
Compute
NetworkingStorage
VM & Applications RBAC
Zoning
Masking iSCSI CHAP
Isolation
AirGaps
Segments
LockDownFirewallLogs
Guest OS VM filesVmx
Authenti.
vSphere
Hardening
Guide
Authenti.
Timeouts
Filters
Sec. Mode
Logs
Patching
2.7.1
5. Evaluate which security services can be used
with a given vSphere solution.
• Security Services?
• Services as in how security can be implemented in each of the vSphere
solution?
• Services as in VMware tools integrated with core vSphere?
• Services as in 3rd party services for integration with vSphere solutions?
vCenter–VUM–Log
Insight-SSO
Compute
NetworkingStorage
VM & Applications
MicroSegmentation
Configuration
Manager
vSphere
Log
Insight
2.7.1
6. Evaluate which security services can be used
with a given vSphere solution.
• Security Services?
• Services as in how security can be implemented in each of the vSphere
solution?
• Services as in VMware tools integrated with core vSphere?
• Services as in 3rd party services for integration with vSphere solutions?
vCenter–VUM–Log
Insight-SSO
Compute
NetworkingStorage
VM & ApplicationsVirus Scanning
Service
Insertion
2.7.1
7. Differentiate infrastructure qualities related
to security.
• Infrastructure Qualities as
per the VCDX blueprint
• Plan for overall data control,
confidentiality, integrity,
accessibility, governance,
and risk management, often
including the ability to
demonstrate or achieve
compliance with regulation
2.7.2
8. Build specific regulatory compliance
requirements into the logical design.
• What is a regulatory compliance?
• Set of rules to follow
• Not always a set of instructions how to follow
• What happens if you don‘t comply? Risk.
2.7.3
PCI DSS FedRamp HIPAA CJIS NERC-CIP
ISO GPDR
9. Build specific regulatory compliance
requirements into the logical design.
• List up the rules to comply to and cross reference against vSphere
services, solutions and other design qualities.
2.7.3
Conceptual Logical Physical
A12.1.3
Capacity
management
A13.1.3
Network
Segregation
Security Hardening: isolate.mgmt.network.airgap
Security Hardening: vCenter.restrict.network.access
Network Design: VLAN design
Management and Monitoring Design: vRealize
Operations Manager design
VM Design: VM Lifecycle Integration
vROPS Config Items
VM Lifecycle Config Items
Network Config Item ID1
Network Config Item ID2
Network Config Item ID3
10. Build specific regulatory compliance
requirements into the logical design.
• List up the rules to comply to and cross reference against vSphere
services, solutions and other design qualities.
2.7.3
Conceptual Logical Physical
2.2d Change
Default
Passwords
6.2 1-month
pathcing of
critical patches
Update: VUM Design
SOP: Host Patching, vCenter Upgrade
Security Hardening: ESXi.apply-patches
Risk Mitigation: Update Vulnerability Processes
ESXi.create-local-admin
vCenter.restrict-admin-privilege
Host Config Items
vCenter Config Items
Validation Item
SOPs
Infrastructure Lifecycle
12. Build a role-based access model and map
roles to services.
• Based on security compliance, management and seperation of duties
• Risk mitigation with role access
2.7.5
vSphere
Cluster
Storage
Network
VMs
PC-DSS
vSphere
Cluster
PCI-DSS
Storage
PCI-DSS
Network
PCI-DSS
VMs
VM User
VM Operator
VM Admin
PCI VM Operator
PCI VM Admin
13. Build a security policy based on existing security
requirements and IT governance practices.
• As a part of a virtualizaton
strategy
• Existing security requirements
• IT Governance
• „what is to be achieved from
leveraging of IT resources“
• Includes inputs from IT standards
• ITIL
• ISO27000
• TOGAF
• PMBOK
2.7.6
Cobit Framework
14. Build a security policy based on existing security
requirements and IT governance practices.
• Existing security requirements
• IT Governance
2.7.6
Data
Protection
Policy
Resource
Isolation
Data
Encryption
RBAC
Data Access
Logging Data Integrity
Risk
Management
Regulation
Compliance
Event
Processes
System
Accessibility
RunBooks
Information
Logging Policy
15. Incorporate customer risk tolerance into the
security policy.
• What is risk tolerance?
• „Risk tolerance is the amount of uncertainty an organization is prepared to
accept in total or more narrowly within a certain business unit, a particular
risk category or for a specific initiative”
• Quantitative and measured: Acceptable or unacceptable outcomes or as
levels of risk.
• Risk Analysis/Assessment
• Likelihood
• Impact
2.7.7
https://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_Risk_Tolerance_0412.pdf
16. Incorporate customer risk tolerance into the
security policy.
• Risk Tolerance Statement example:
• „The business has zero tolerance for fraudulent data loss“
2.7.7
Data
Protection
Policy
Key
Management
Encryption
Role
Seperation
Data Access
Multi Layer
Auth.
Data
Isolation
17. Assess the services that will be impacted and
create an access management plan.
• Access Management Plan
• „Access management is the process of granting authorised users the right to
use a service, while preventing access to non-authorised users.”
• Least Privileges
• To do their job
• Role Based Access Control
• Roles in vCenter
• Users in ESXi
• Roles in other components (management and monitoring)
2.7.8
18. Determine the proper security solution that
would satisfy a regulatory requirement.
• How to achieve and demonstrate compliance
• Three Control categories:
• Preventive Controls
• Access Control, Seperation of Duty, Configuration standard, Organizational Policies, Firewalls,
Network Segregation, Vulnerability Management etc
• Detective Controls
• Audit monitoring, configuration drift monitoring, Change monitoring, instrusion detection
and vulnerability scanning
• Corrective Controls
• Correct Error, Restore Normal operations, remove unauthorized users, changes and restore
services
2.7.9
19. Determine the proper security solution that
would satisfy a regulatory requirement.
• How to achieve and demonstrate compliance
• Three categories of IT control objectives
• Access and user administration
• Change and configuration
• Operations
2.7.9
Access and user
Administration
Change and
configuration
Operations
Preventive
Detective
Preventive
Detective
Preventive
Detective
20. Determine the proper security solution that
would satisfy a regulatory requirement.
• How to achieve and demonstrate compliance
2.7.9
Access and user
Administration
Change and
configuration
Operations
Preventive
Detective
Preventive
Detective
Preventive
Detective
Segragation of
duties
Segragate data
Configuration
Standards
Change Policies
Manage Logs
Manage
Vulnerability
Monitor
privileged users
Verify network
controls
Monitor for
non-standard
configs and
changes
Deploy IDS/IPS
Vulnerability
Scans
Event Monit.
21. Determine the proper security solution that
would satisfy a regulatory requirement.
• How to achieve and demonstrate compliance
2.7.9
Segragation of
duties
Segragate data
Configuration
Standards
Change Policies
Manage Logs
Manage
Vulnerability
Monitor
privileged users
Verify network
controls
Monitor for
non-standard
configs and
changes
Deploy IDS/IPS
Vulnerability
Scans
Event Monit.
Access and user
Administration
Change and
configuration
Operations
Logging (SIEM)
Configuration
Management
Identity management
tools
22. Based on stated security requirements, analyze
the current state for compliance/non-compliance.
• Compliance Checker discontinued
• Requirement to configuration mapping
• Manual
• Script for vSphere 5.X somewhere
• Validation of configuration, layout, processes, access management
2.7.10
23. vSphere 6.5 Security Features
• VM Encryption (needs key management)
• PCI-DSS, GDPR, HIPAA
• Data Protection Policies
• vMotion Encryption
• Secure Boot for ESXi and VMs
• Enhanced Logging (Change Control and Monitoring)
• No more Security Hardening Guide, now Security Configuration Guide.
• https://blogs.vmware.com/vsphere/2016/10/whats-new-in-vsphere-6-5-
security.html
24. Questions?
Links:
Whitepaper on Risk Appetite and Risk Tolerance (not part of the blueprint):
https://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_
Risk_Tolerance_0412.pdf
Official VMware framework on compliance on PCI-DSS:
https://solutionexchange.vmware.com/store/products/vmware-pci-compliance-
and-cyber-risk-solutions#.VRLGzZPF9Fg
Official VMware framework on security regulation compliance:
https://solutionexchange.vmware.com/store/products/vmware-compliance-cyber-
risk-solutions#.VRGBT5PF9Fg
VCAP6-DCV Design Exam:
https://mylearn.vmware.com/mgrReg/plan.cfm?plan=88743&ui=www_cert