As Zero Trust design is the north star of designing and delivering more secure offerings, the VxRail product team engineers in significant Authentication, Authorization, and Accounting (AAA) capabilities into the VxRail HCI System Software. AAA is designed to control access, ensuring the right person is using the system, provide what level of access they have, and log activity to account for what has been done and by whom. Role Based Authentication Control (RBAC) is an example of one of the ways this is built into the management framework of VxRail.
Authentication to HCI System Software is handled by vCenter SSO, mediating access to the vCenter plug-in and by the VxRail API. vCenter supports the organization's centralized identity management system in accordance with authentication security policies.
Organizations often centralize identity management using directory services such as Microsoft Active Directory (AD) or LDAP. If VxRail is a stand-alone environment and not part of a domain, users and passwords can be managed locally in vSphere and iDRAC. From a best practice's stance, it would be recommended to use centralized authentication.
Many environments strengthen their identity management using multi-factor authentication that requires an additional level of identity verification, including certificates, smartcards, or security tokens, in addition to a username and password. VxRail fully supports multi-factor authentication (MFA) for both the domain and locally managed users through vSphere integration with partner MFA solutions.
Often there may be different individuals responsible for the physical servers, VxRail lifecycle management, and the management of the server, storage, and network virtualization environment. VxRail uses fine-grained, role-based access controls for iDRAC, HCI System Software, and vSphere. iDRAC also supports Secure Enterprise Key Management (SEKM), which works on encrypted drives across data centers, remote locations, and in the cloud, and provides extra protection beyond Local Key Manager.
VxRail supports local vSphere user accounts, AD or LDAP integration, vCenter single sign-on, and Active Directory Federation Services (ADFS). Although it is possible to have a stand-alone VxRail, most environments integrate with enterprise Identity and Access Management (IAM) systems that use directory services such as Microsoft Active Directory.
Using the “principle of least privilege” (POLP), a user is granted the required rights to perform their role but no more than is needed. vSphere includes several predefined roles that are used to grant appropriate privilege. For example, a user may be granted the role of vSphere Administrator, HCIA Management, or both. The HCIA Management role grants a user privilege to perform VxRail lifecycle management tasks from VxRail management plug-in within vCenter. vSphere Administrator grants privilege to perform Administrator tasks in vCenter. vSphere allows an even granular level of access control by the creation of custom roles. For example, a privileged user may be granted the ability to acknowledge an alarm or create a storage profile but not deploy VMs.
Roles are associated with users and groups and with specific objects, where an object is a thing or group of things. For example, a user or group might have permission to acknowledge alerts for a particular VM or port, but not other objects. Also, restrictive roles such as No Access may be assigned to users, preventing them from seeing specific areas within vCenter. Multiple users or groups can be granted the same or different levels of access to the same object. Permissions granted to a child object can be used to override permissions inherited from a parent object.
vCenter Server Role-Based access control supports the granular security principles of “Least Privilege” and "Separation of Responsibility” and allows the security administrator to enhance security by defining precise permissions based on the systems management structure organization.
Understanding changes in configuration and component status is vital to keeping systems secure and available. Changes may be the result of a temporary fix causing a configuration drift. For example, if someone updates a component of the VxRail software’s continuously validated state without using VxRail LCM or vLCM to perform the upgrade with the VxRail software download. Or these changes could be an indication of a possible intrusion. Proactively monitoring infrastructure is an important security activity.
Timely detection when an intrusion happens can mean the difference between a brief interruption where the attacker is unable to compromise any critical systems, and an intrusion that persists for months leading to the compromise of multiple critical systems. Failure to maintain a system of audit logs may not provide adequate information about the attack to determine severity.
The challenge with monitoring the information is that it comes from many different sources—an individual VM, a physical server, the virtualization infrastructure, the network, security components, or the applications themselves. Making sense of this information requires a consolidated view of activity and changes. VxRail includes vRealize Log Insight. Log Insight compiles VMware logs, including servers, network devices, storage, and applications. As the graphic below shows, Log Insight creates a dashboard with graphs based on the data in the logs. This helps the administrator quickly and easily examine the root cause of the issue.
Correlating all of this information is one of the many reasons that VxRail uses the industry standard Network Time Protocol (NTP) to keep all the component clocks synchronized.