It’s time to release the vSphere 6.0 Hardening Guide! As I mentioned back in April, there are a lot of changes that have been made. In talking with customers and auditors in detail for the past year, the conclusion was reached that the Hardening Guide was
- Difficult to understand
- Contained a mix of
- Operational Guidance – How you use the product in your environment
- Programmatic Guidance – What settings should be applied OR audited
Basically, it was NOT easy to implement. And if security is too difficult to implement, people will either not do it or will do it poorly.
With 6.0 I changed the focus of the guide to Programmatic Guidance. By leveraging the vSphere API’s we can make it really easy to implement or audit against the guide. I always ask myself “How can I lower the burden on the IT guy who has been tasked with “Go implement the Hardening Guide!!”?
Art .vs. Science
By separating these two things out, I discovered that the vast majority of the “Operational Guidance” was very “site specific”. If you consider the changing of settings as “Science” then the site-specific stuff can be considered the “Art”. The first is hard fact, the second is left up to interpretation.
The 5.x guideline “isolate-mgmt-network-airgap” is a perfect example. The guideline says do it. YOU SHOULD DO IT!! But how? Can you use a separate hardware-based network? Are VLAN’s acceptable? Should you use VMware NSX? The answer is “It depends on what your site-specifc requirements, processes and procedures are”.
In the world of governance, risk and compliance, confirming that it’s done right is what’s called a “manual attestation”, meaning someone has to sign a document that says “I did it correctly!” It’s very difficult, from an API-level standpoint, to verify that something like this is correctly done using the automation tools available to us.
The job of documentation like the vSphere Security Manual and the vSphere Hardening Guide is to point out risk and methods to mitigate that risk. How you mitigate that risk may be different that how I mitigate that risk. Both may be valid. That’s a discussion you have with your security team and/or your auditor.
The side benefit of moving the guide to a more programmatic format is that when working with your auditor, you can spend less time on settings and more time on the “how”. A significant number of customers I have talked to are VERY happy with this direction. And so are a couple of auditors! And they aren’t the easiest folks to please!!
For more information on the changes, read the following previous blog from a couple of months ago. It will explain in more detail.
vSphere 6.0 Hardening Guide – Overview of coming changes | VMware vSphere Blog – VMware Blogs
Many thanks to all those that contributed and helped in the production of this Hardening Guide. It was a LOT of work moving from a difficult process of marking up Excel documents and coordinating changes to a new system using an online collaboration tool.
My thanks to Pravin Goyal, Charu Chaubal, William Lam, Brian Graf and others that have helped. A huge thanks has to go out to Renate Kempf. She had done an amazing job on the vSphere Security Manual. You really should review it as almost all the changes that are considered “Operational Guidance” have been moved there. I have provided a spreadsheet that maps these guidelines to their place in the documentation.
A huge thanks to the VMware Engineering organization who were incredibly gracious with their time as we reviewed ALL of the guidelines to ensure they were correct, valid and supportable.
The VMware Hardening Guide page has been updated. You can download the vSphere Hardening Guide and the list of guidelines that have moved to the vSphere Documentation.
VMware Configuration Manager now supports the vSphere 6 Hardening Guide!
My colleague Pravin Goyal from the VMware Configuration Manager and vRealize Air Compliance team who helped tremendously with the vSphere 6 Hardening Guide, has been working directly with me during the production. Because of this collaborative effort, VCM now supports the vSphere 6.0 Hardening Guide today. Read more on the Security Blog.
Enjoy and as always, if you have questions or concerns, don’t hesitate to contact me. mfoley at VMware.com or @vspheresecurity on Twitter.