Announcing the vSphere Security Configuration Guide 7

We are pleased to announce the availability of the vSphere Security Configuration Guide 7. The vSphere Security Configuration Guide (SCG) is the baseline for hardening and auditing guidance for VMware vSphere itself. Started more than a decade ago, it has long served as guidance for vSphere Administrators looking to protect their infrastructure.

In the world of security there are compliance frameworks and implementation guides. Compliance frameworks, like NIST 800-53, PCI DSS, CMMC, and the like often specify what security goals we need to achieve, but they do not tell us how. In contrast, implementation guides are sets of specific technical controls, intended for a specific audience or application. These tell us how to do something, but not why. In an ideal world these two come together as a matched set, as they do in the VMware Compliance Kits for NIST 800-53 and PCI DSS, to bridge the gap between implementation & audit.

Implementation guides tend to be inflexible; you implement them the way they say or else! Should a vSphere Administrator who wants security guidance adopt an implementation guide that isn’t specifically for them? For example, a DISA STIG is intended for use by agencies of the United States’ federal government and has guidance specific to federal standards. Security is always a tradeoff against something else, primarily usability, but often performance, staff time, and expense, too. Too much security is costly in terms of opportunity cost. Too little is costly in terms of security incidents and liability. Compliance frameworks are helpful in determining a balance, but in lieu of that how does a vSphere Administrator and their organization choose to trade usability, staff time, and budget?

This is where the vSphere SCG fits in. The vSphere Security Configuration Guide is intended to be a baseline set of security best practices that inform a vSphere Administrator’s security efforts but does so in a general way that examines the tradeoffs at hand. It has 78 “controls” but no scoring and no risk profiles or levels. Does other security guidance have those things? Yes, and they need to. DISA needs to be able to score their agencies against their own standards, and a compliance auditor needs to be able to determine if an organization has correctly implemented security processes. The SCG’s goal, though, is to be guidance that reflects that security is a process, not just a particular set of tools, products, or security “nerd knobs” on a spreadsheet, and to meet organizations where they are to find the balance they need.

What’s New in vSphere Security Configuration Guide 7?

The vSphere Security Configuration Guide 7 is the first major update in a few years and reflects a changed landscape, both within VMware and in information security in general.

First, this version is a transition to a new model that, in the future, will be aligned to our compliance efforts. As much as we, as vSphere Administrators, like to try to avoid compliance it is here to stay, and we have found that much of the friction around compliance is caused by gaps in understanding during the audit process. By aligning to NIST 800-53 and using our patented processes for mapping those controls into NIST 800-171, CMMC, PCI DSS, ISO 27001, NERC CIP, and other compliance standards, we can reduce duplicate efforts and create better guidance that helps fill the gaps in understanding and gets you to a secure state faster.

Second, this update reflects the core tenets of information security: confidentiality, integrity, and availability. This is the CIA triad and it reflects that security is woven into all aspects of IT. Our guidance needs to reflect that, too. Security isn’t just keeping our data safe in place, it’s keeping it safe in use, and making sure that our systems are usable when we need them to be. Threats like CPU & hardware vulnerabilities and ransomware were unrealized when vSphere 6.7 was released, but they are major considerations now which everyone needs to take very seriously. To these ends we are “doubling down” on ideas like reducing attack surface, disabling SSH (and leaving it that way), automating with PowerCLI & APIs, patching at all levels, and isolation among systems. Acknowledging this new reality, prior vSphere SCG guidance that enabled other behaviors has been removed in this release.

Last, the release of VMware vSphere 7 in April 2020 brought new technologies, but also new release processes, too. Moving forward we hope to release updates to vSphere on more regular intervals. The intention is to update the SCG at those intervals as well, correcting errors and omissions that we find, introducing automation, and adjusting the guidance to reflect changing defaults in vSphere. The vSphere SCG isn’t just for customers, we also use it as a benchmark for how well we are meeting our goals of making vSphere secure by default and making security features easy to use. You will see that some of the SCG guidance reflects that and offers vSphere Administrators the option of relying on the new defaults in order to reduce the customizations that need to be managed.

Download the vSphere SCG 7

You can get the vSphere Security Configuration Guide 7 at it’s new home on The Core:

Join us live to talk about the SCG 7 on October 8th!

Join Bob Plankers live on Thursday, October 8th at 10 AM Pacific to talk about the SCG 7 and hardening of vSphere. 20 minutes of talk, then live Q&A via the chat. No registration required, but if you want the URL and the “save the date” calendar reminder for this, and the rest of the Cybersecurity Awareness Month live talks, check out the schedule! Join us, it’ll be fun!

It’s Cybersecurity Awareness Month and we’re celebrating it by streaming live every Thursday in October! Join us for a 20 minute presentation and then live Q&A afterwards. Topics and calendar reminders can be found on the schedule. No registration required. Please join us! 

We will continue posting new technical and product information about vSphere with Tanzu & vSphere 7 Update 1 on Tuesdays, Wednesdays, and Thursdays through the end of October 2020! Join us by following the blog directly using the RSS feed, on Facebook, and on Twitter, and by visiting our YouTube channel which has new videos about vSphere 7 Update 1, too. As always, thank you, and please stay safe.