VMware Cloud Foundation Security

ESXi, NSX, VCF

Securing a VMware Cloud Foundation (VCF) environment can be a daunting task at times. There are several products that can be deployed, and each has specific things that need to be looked at. It’s especially important to think of VCF as a solution though, as actions that you may take on an individual product can impact the functionality of the solution as a whole. Today, however, this just got a bit easier…

Today, VMware released the first compliance kit for VCF 4.2. This kit contains a series of documents focused on helping VCF customers maintain compliance. The first release focuses on NIST 800-53 R4, but the goal is to include guidance for the top 10 different regulatory requirements, including:

  • NIST 800-53 R4
  • PCI DSS 3.2.1
  • SOC 2
  • FedRAMP
  • HIPAA
  • FBI CJIS
  • DISA STIG
  • NERC CIP
  • NIST 800-171/CMMC
  • GDPR/ISO 27001:2013

As content for the other standards becomes available, you will see that the compliance kit gets updated. I know the team working on this is trying hard to add in support for FedRAMP, NERC CIP, FBI CJIS, HIPAA, and SOC 2 as quickly as possible.

The kit focuses on the core software components of VCF, including ESXi, vCenter, vSAN, NSX-T, and (of course) the SDDC Manager.

Within the kit, there are three main documents:

  • The Security and Compliance Configuration for VMware Cloud Foundation document describes configurations that a user can perform after the initial deployment of VCF in a standard deployment.
  • The VMware Cloud Foundation Audit Guide lists procedures that you can use to validate a VCF environment
  • And there is the VMware Cloud Foundation Audit Guide Appendix, which is an Excel spreadsheet that lists out various audit procedures and the applicability to particular standards.

One thing that you may find missing is automation from the current compliance kit. I’m told that this is being worked on, and it may be available later this year.

So where can you get the compliance kit from? One way is to start looking at the VCF documentation page. Here, you will see a new section for Security and Compliance. Now if you follow this to the download, you will find that it will take you to core.vmware.com. In case you were not aware, core.vmware.com hosts a lot of different information on VCF, vSAN, and host of other products. There’s even a section carved out just for compliance.  I would suggest checking here often to get the latest updates.

Hope this helps you increase your security posture with VCF! Enjoy!