Configuring security can be a complex, error-prone process with many of the same risks that it seeks to mitigate. Three different elements simplify the process of securing VxRail infrastructure. First, vSphere has a "secure by default" approach to configuration. Second, Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs) give a blueprint for security hardening. A variety of automation tools allow the monitoring and configuration of security parameters to be checked and configured as necessary. This enables the appropriate risk profile to be configured to correspond with the business needs. Finally, the ability to automate reverting the configuration to a known secure state when unexpected changes occur is a vital part of VxRail security.
Starting with vSphere 6.0, VMware began an initiative to make security the default setting for vSphere. This makes VxRail more secure straight out of the box. As part of this initiative, most recommended security settings were classified as either site specific or changed to default to the secure setting. Settings that previously had to be changed after the installation was updated, so the secure setting became the default.
Configuration settings that classify as site-specific cannot be configured by default—for example, the hostname of a remote Syslog or NTP server. With VxRail, many of the settings that VMware classifies as site-specific are configured by HCI System Software as part of the installation.
Many organizations use STIGs as a baseline to harden their systems. These STIGs provide a checklist in both a human readable PDF and an automated script. This enables automation tools to read the STIG and configure the environment to match the recommended configuration with minimal manual intervention. While existing VMware STIGs cover VxRail components, including vSphere, ESXi, and vSAN, make implementation as easy as possible. Dell EMC VxRail running VxRail software v4.5.x, 4.7.x, and 7.x comply with relevant DISA Security Technical Implementation Guidelines (STIG) requirements.
Over time, configurations can drift to less secure positions. Because of this, it's important to not only monitor the configuration but also automate the restoration of the environment to the initial secure state. VxRail supports multiple different options depending on the level of automation required. VxRail has automated hardening tools that check the current configuration against a STIG, and if the configuration has changed, revert the configuration back to the known safe state. If a more extensive automation tool is required, VMware vRealize Suite works with VxRail environments to automate configuration management while maintaining governance and control. VMware offers AppDefense, a more application-focused tool that uses machine learning to gather information about a known good state for VMs and the applications they support. With this tool, when a variation from the known good state is detected, the administrator will be notified, and a response can be automated from a library of incident response routines.