Skip to Content

The Sphere is Solid: vSphere Hardening, the Right Way

Whether we embrace it or not, IT Security organizations have become key players in our organizations over the years.  Sometimes they get a bad rap, they have to be come the enforces for various policies and compliance requirements our businesses must adhere to.  Audits can be met with enthusiasm or dread, but they aren’t going any place soon.  I think much of the negative publicity comes from a lack of understanding of the bigger picture.  Many times an audit creates more work for an area of infrastructure, which can be difficult to absorb if a group is already running thin.

The Bigger Picture
IT Security departments are there to protect us.  They protect us, our systems, our data, and most importantly our intellectual property.  From responding to security events such as breeches, viruses, lost assets, or vulnerabilities, and educating us on what compliance standards we must meet, IT Security is the front line in protection of our assets.  In some organizations, IT Security will be involved with change management to help us protect ourselves from…well, ourselves.

How Do We Protect Ourselves?
As a VMware administrator or architect, we look at something called the vSphere Hardening Guide.  Hardening Guides exist pretty much every area of infrastructure, and serve to give us a GUIDE on how to protect ourselves based on our business needs.  Like a best practice, hardening guides are not meant to be blindly implemented.  While someone could blindly follow the guidelines and create the hardest, most impenetrable vSphere environment ever, chances are this vSphere environment wouldn’t actually meet the requirements of the business.

Edward Haletky gave a fantastic talk called Using the vSphere Hardening Guide as a #vBrownBag Tech Talk at VMwolrd 2014.  Everyone who’s looking to to implement vSphere hardening practices should take 12 minutes and watch.  It will give you a great idea of how you should be approaching this.  The key is all about understanding your business and your unique requirements.

STOP, Audit Time!
While the vSphere Hardening Guide is a great place to start, your own documentation for your own environment will come in handy when you’re going through an audit.  An internal audit is fairly common, and by having documentation at the ready you can make it smoother for everyone involved.  Beyond having your documentation in order, a policy based infrastructure can go a long way in your preparedness for an audit.  A policy based infrastructure can turn “Did we do this?” into “As you can see, we’re continuously doing this.”.  In the same way that CI/CD is being used for better development practices, policy based security can allow us to ensure continuously awareness of our environment.

For example, let’s say you have a requirement for separation of certain applications in your environment.  There’s a number of ways this can be required, and a number of ways it can be accomplished.  Do I need them on separate hosts?  Or can I just use something like a Private VLAN to make sure they can’t talk to each other?  What about storage?  Do they need to be on separate data stores?  What about management?  Should the same groups be able to manage them within vSphere.

The first step in solving this problem would be to start with the business drivers between why the applications need to be separated, and how far the separation must go.  Is there some sort of internal or external compliance aspect?  Is it a performance concern?  Can it use common infrastructures like AD, or does this application need to have its own?  An architecture diagram would be good to have at this juncture, and if there isn’t one, you may want to create one.  Same with deployment guides.  Is this application deployed in the same prescriptive manner every time, or is it a free for all?  Once we get to a state where we know what the components are, and we know how they need to be deployed, we can begin to automate the process.  We can use a tool like VMware vRealize Orchestrator (the orchestrator formerly known as vCenter) to create such a workflow that can call on all the various components we will need.  Then, we will have a prescriptive method to prove our application is deployed in the same manner every time, and meets our business requirements.

vmworld logo(Getting ready to vRealize the policy based future at VMworld 2014)

Security is no longer the domain of the security team.  We’re all members of the security team now, even us vSphere administrators.  From technology, to the business parter, we have to embrace these methods.  It isn’t a finger pointing exercise any more, it is all about working cross functionally to serve our business customers.  By embracing our IT Security counterparts, hardening our environments with supporting documentation, and working towards a policy based infrastructure we’re able to give time back to ourselves.  Audits can become quick exercises, and we can get back to what we do best, innovating and providing our business with a competitive edge.


Song of the Day – Calvin Harris – Outside (ft. Ellie Goulding)