Security & Compliance in VMware vSphere+

Overview

VMware vSphere+ brings the functionality of VMware Cloud to on-premises infrastructure deployments, reducing infrastructure maintenance costs, optimizing operations, and speeding up security response. To enable VMware vSphere+ there are communications and permissions changes necessary to support these operations. This document is intended to clarify and document security & compliance differences between traditional vSphere deployments and Cloud-enabled environments, document product goals, and answer questions.

Disclaimer

This set of documents is intended to provide guidance for organizations that are considering VMware solutions to help them address compliance requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide regulatory advice and is provided “AS IS.” VMware makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Organizations should engage appropriate legal, business, technical, and audit expertise within their specific organization for review of security and regulatory compliance requirements.

Intended Audience

This document is intended only for customers deploying and operating VMware vSphere+. Security and compliance recommendations are nuanced and may differ between products and releases. Please only use security guidance intended for the specific product and version you are running.

Download the Latest Version

This is “Security & Compliance in VMware vSphere+” version 703-20220628-01.

This document will evolve. The most up-to-date version can be found at:

https://core.vmware.com/security

Goals

VMware vSphere+ creates a shared responsibility and security model for on-premises managed vSphere components. This model intends to:

  • Minimize friction. Initial setup will require some opt-in configuration and permissions adjustments but will be kept to a minimum. Users should be able to easily set up, monitor, and revoke permissions when needed.
  • Limit access. VMware Support Team will only have access and ability to perform the following operations:
    • vCenter Server lifecycle management (patching & upgrades)
    • vSphere licensing and license monitoring
    • Collecting configuration data for the purposes of auditing & displaying for customer consumption within the cloud console
    • vCenter Server monitoring
    • vCenter Server backup & restore
    • Only VMware Support teams will have access to specific monitoring data
    • This data will not be used for any marketing purposes
  • Promote transparency. Customers will have visibility into which actions are planned, currently being executed, and have been executed in the past.

Definitions

Term

Definition

Site Reliability Engineer (SRE)

VMware staff that use software engineering practices while solving IT infrastructure and operations problems. At VMware, these people conduct the day-to-day operations for VMware Cloud and vSphere Cloud.

VMware vCenter Server (vC)

VMware vCenter Server is the centralized server management console for controlling vSphere environments. It is delivered as a virtual appliance.

VMware vCenter
Cloud Gateway

The vCenter Cloud Gateway is a virtual appliance enables hybrid cloud use cases where on-premises resources are connected to cloud resources.

VMware Hypervisor
(ESXi)

The VMware Hypervisor, ESXi, enables virtualization of servers to consolidate applications and workloads while increasing their manageability. ESXi runs on bare metal.

VMware vSphere

VMware vSphere is the combination of ESXi and vCenter Server that enables advanced functionality and manageability in the software-defined data center.

VMware vSphere
Subscription

VMware VMware vSphere+ is the version of vSphere that also includes the vCenter Cloud Gateway, allowing hybrid manageability of on-premises deployments.

VAMI

Virtual Appliance Management Interface (VAMI) is the web interface for vSphere Administrators to configure and maintain VMware products that are delivered as appliances.

Product Changes to Support VMware vSphere+

Users & organizations will continue to access vCenter Server with no change. However, there will be new vCenter Server user accounts created to support the lifecycle operations that are managed from the cloud.

Purpose

User

Group

Privileges

Lifecycle, Backup, Restore

arctic_admin

Administrators

Full Admin

Backup

backup-admin

SystemConfiguration.administrators

Backup

Licensing

license-service-admin

LicenseService.Administrators

Read-only role for inventory, full access to licensing operations

Configuration Management

system-config-admin

SystemConfiguration.Administrators

Read-only role

Statistics Collection

vstats-admin

vStatsGroup

vStatsAdmin role

Log Collection

syslog-admin

SyslogConfiguration.Administrators

SyslogAdmin role

Connections to VMware Cloud Services

Initial connections will need to be made between on-premises instances and VMware Cloud services using credentials for VMware Cloud. Customers will need to create an account for VMware Cloud (console.cloud.vmware.com) prior to being able to connect.

A temporary authorization code will be generated on the Cloud Gateway Appliance to identify and verify it to the VMware Cloud services.

Questions & Answers

Does VMware vSphere+ use VMware Cloud services?

Yes, the VMware vSphere+ offering connects to services that are part of VMware Cloud on AWS.

Do VMware Cloud services have regulatory compliance information available?

The VMware Cloud Trust Center is a collection of information about security, privacy, compliance, and resiliency for the VMware Cloud services. You can find it at:

https://www.vmware.com/products/trust-center.html

https://trust.vmware.com/

https://www.vmware.com/download/eula.html

Does VMware vSphere+ require a VPN to the public cloud?

No. Data is transmitted over standard TLS-encrypted connections from the vCenter Cloud Gateway to the VMware Cloud, on outbound TCP port 443 only. vCenter Servers are connected to vCenter Cloud Gateway and not directly to the Internet. There is no impact to ESXi host and VM connectivity. ESXi hosts continue to be connected only to vCenter Server. There is no need for vCenter Cloud Gateway to connect with ESXi hosts or your virtual machines. All communication is between vCenter Server through vCenter Cloud Gateway to VMware Cloud.

Do I need to place my vCenter Server on the Internet for this service?

No. VMware always recommends practicing defense-in-depth by maintaining layers of independent security controls. To that end, please do not place vCenter Server, ESXi, storage, network, or other management interfaces directly on the public Internet.

What connections does VMware vSphere+ make to VMware Cloud services?

Connections to VMware Cloud services are through the vCenter Cloud Gateway, which is an appliance deployed on-premises that aggregates and centralizes interactions with the Cloud services. The cloud gateway requires the ability to connect to the following URLs:

  • vmc.vmware.com (registration & connection to services)
  • console.cloud.vmware.com (registration & connection to services)
  • docker.vmc.vmware.com (container registry supporting service deployment & updates on the Cloud Gateway)
  • vcgw-updates.vmware.com (updates for the Cloud Gateway appliance)
  • data.mgmt.cloud.vmware.com (log collection into vRealize Log Insight Cloud)

A more complete inventory of firewall ports can be found at https://ports.vmware.com/

What operating system(s) does the vCenter Cloud Gateway run on?

VMware ESXi, and products deployed as appliances are atomic units, supported in full by VMware, and managed and patched as a single entity. VMware does not support management or changes to the appliances outside of published APIs and user interfaces. This includes changes to the hardware compatibility of the appliance, sizing of the appliance, and changes to the internal configurations of the appliance except when done through supported product management interfaces like the VAMI.

Other interfaces, like SSH and the appliance shell/DCUI, are present for troubleshooting and support purposes. These support interfaces are shipped in a disabled state and intended only for use as directed by VMware Global Support Services (GSS). When support and troubleshooting is concluded they should be returned to a disabled state.

This delivery model is akin to that of a network switch, firmware to be updated as a single image, rather than an installed application. We encourage users to list the products as their own operating system in their organizational asset inventories, as they would with a network or SAN switch firmware. For example, the operating system for vCenter Server 7 would be “VMware vCenter Server 7.” This helps prevent misunderstandings about updates, patching, and support boundaries during audits and vulnerability assessment and remediation.

Do I need to install the VMware vCenter Cloud Gateway?

Yes, the gateway is what connects vSphere to the cloud services.

Does the VMware vCenter Cloud Gateway need to be on the Internet?

No. It should be placed behind your perimeter firewalls.

Are passwords & sensitive information transmitted to VMware Cloud?

No. VMware vSphere+ administrators will only need to enter usernames and passwords on the Cloud Gateway appliance to create the connections to the VMware Cloud and to the on-premises vCenter Servers. This authentication information is never sent to the cloud.

How will users be informed of security vulnerabilities and disclosures?

VMware has a robust process for handling security issues, following the industry-standard “responsible disclosure” model. When security vulnerabilities are disclosed to users it will be as a VMware Security Advisory (VMSA) and will be posted at:

https://www.vmware.com/security/advisories.html

We strongly urge all VMware customers to subscribe to the VMSA mailing list, found on the link above.

What types of data are collected and sent to VMware Cloud?

VMware will collect product data required to manage the respective VMware vSphere+ deployments.

How is customer data protected?

VMware has implemented technical, administrative, and organizational safeguards to ensure a least-privilege style of access to the information collected. All VMware employees must receive training and obtain certification for responsible use and handling of collected data.

Who has access to VMware vSphere+ data?

Data is accessible on a need-to-know basis to employees who perform support and management activities on VMware vSphere+ services inside VMware Cloud. The tools, processes and teams are same as our current Support methods for any VMW products and services. Data can be shared across VMware teams to enable cross-product correlation and analysis. VMware employees must complete product usage data training and receive management approval prior to gaining access to the data.

Will VMware share data with third parties?

Data is not shared with partners or third parties.

Does VMware have data retention processes?

Data is kept only if needed for specific, defined uses, and no longer than necessary for these purposes.

This document does not contain information about security hardening for VMware vSphere+. Where can I find guidance on that?

VMware publishes the vSphere Security Configuration Guide which serves as the baseline for security hardening. The recommendations apply to VMware vSphere+ as well. You can find the latest copy at:

https://via.vmw.com/scg

In all cases, whether traditional vSphere or modern VMware vSphere+ deployments, we strongly recommend applying the latest product patches, employing strong access control technologies like multifactor authentication (MFA), and practicing least-privilege and zero trust by restricting access to hardware, appliance, and vSphere management interfaces.

 

Associated Content

From the action bar MORE button.

Filter Tags

Security vSAN vSAN+ vSphere vSphere+ Document