Triple A Security for VMware Cloud Foundation with Entrust CloudControl | #cloudsecurity | #education | #technology | #infosec

As IT environments transition to hybrid cloud, security architectures must undergo a corresponding transformation. HyTrust (now a fully owned subsidiary of Entrust) CloudControl addresses the need for a comprehensive solution by providing a unified framework for security and compliance across the hybrid cloud – reducing both risk and operational overhead. Entrust customers have long used CloudControl for advanced Role & Attribute Based Access Control and Compliance for VMware environments. Entrust has recently announced their joint VMware collaboration to enhance CloudControl by adding support for VMware Cloud Foundation (VCF), thereby assuring our joint customers that their security needs were fully met.

For those that are unfamiliar, VMware Cloud Foundation (VCF) provides a single platform offering an integrated infrastructure stack in one bundle.

VCF, is sometimes described as the ‘easy button’ for deploying the VMware stack of products as shown in the illustration above. Depending on the operational needs it can be deployed either: on-premises, where the customer is responsible for managing the physical infrastructure and virtual machine workloads or as-a-Service where the Cloud Service provider (CSP) manages the underlying infrastructure with the customer responsible for the management of their virtual machine workloads.

With the aforementioned release of Entrust CloudControl 6.4, VCF customers can now rely on a centralized solution for achieving triple A (or AAA) security.

The three As stand for:

  • Authentication
  • Authorization
  • Audit Control

These apply to both the User Interface (UI) and  the Application Programmable Interfaces (APIs) that provide access to the critical infrastructure resources within the VCF ecosystem – including ESXi hosts, vCenters, NSX-T Managers, vSAN, and of course SDDC Manager and all associated Workload and Management Domains.

Let’s dig into the AAAs in a bit more detail:

Authentication: Customers can leverage existing investments in LDAP (Lightweight Directory Access Protocol – an open and cross platform protocol for directory services authentication), Microsoft Active Directory and Identity Providers like Ping, Okta, Duo etc. for all access to VCF resources. CloudControl 6.4 integrates with these solutions to enforce single or multi-factor authentication for access to VCF resources.

Authorization: With out-of-the-box support for approximately 10 roles including SDDC Manager Admin, SDDC Workload Admin and SDDC DataCenter Admin, CloudControl makes it easy for customers to implement fine grained Role & Attribute Based Access Control (RBAC / ABAC) across multiple VCF resources. For example, the SDDC Workload Admin role includes permissions for operations on the SDDC Manager, ESXi, vSAN and NSX-T. Moreover, Customers can easily define & customize additional roles using CloudControl’s simple, flexible & powerful Role Management engine. Roles thus defined can be mapped to users or groups and enforcement is carried out by a transparent proxy that sits between admins and the VCF environment. Admins require no new training — they continue to use their familiar VMware UI, CLI and API.

Audit: All requests for access, including operations allowed as well as operations denied, are captured by CloudControl in a forensic quality Audit Log. Customers can use the Audit Log to obtain details regarding specific values that were changed (or were attempted to be changed) by each operation. Additionally, these Audit Log records can be sent to SIEM tools like VMware Log Insight, SPLUNK etc. for further/deeper analysis.

Don’t just take our word for it, check out this 15 minute demo of Advanced RBAC/ABAC for VCF with Entrust CloudControl