VMware vSphere 7 Security Features and Improvements

0

One of the many areas that have been majorly improved with vSphere has been the enhancements in security with the platform. VMware vSphere 7 represents the most secure vSphere release to date with many new features and capabilities on a security front that supports organizations security initiatives both today and tomorrow. In this post, we will take a look at new VMware vSphere 7 security features and improvements to take a closer laser-focused look at the new security features in particular.

New VMware vSphere 7 security features and improvements

VMware has introduced this notion of intrinsic security or security that is deeply integrated into the product. That means that it is not just a “bolt-on” tool or feature that is added after the fact. VMware has taken a step back and analyzed the security landscape and introduced the features and capabilities right into the platform itself to ensure your environments built on top of vSphere 7 already have a secure foundation.

This includes the following:

  • Certificate management improvements
  • vSGX
  • Identity federation
  • vSphere trust authority
  • Improved life cycle management – patching and updates

Certificate management improvements

We all know that certificates are an extremely important component in the overall security posture of an organization. Historically, certificates have been a pain across the board. This has led to either organizations not implementing certificates altogether if they didn’t have to or implementing them incorrectly.

With vSphere 7, VMware has made this task easier, staring with vCenter Server. First of all, solutions certificates have been deprecated and replaced with a less complex but still secure method of connecting to products such as vRealize operations, vRealize Log Insight and others.

There is a new REST API for interacting with vCenter Server certificates as part of the larger API offering in vSphere 7 in general. In addition, the platform itself has been simplified so that there are less certificates to manage.

VMware has introduced four main ways to manage certificates in vSphere 7:

  • Fully Managed ModeWhen you install vCenter Server it is installed and initialized with a new root CA that manages the intra-cluster certificates between ESXi hosts and ESXi hosts and vCenter Server
  • Hybrid ModeAllows replacing the certificate that vSphere Client users so that it is accepted by client browsers providing the best of both worlds including deep automation of security inside the vSphere infrastructure as well as minimal end user client management for end users accessing the environment with vSphere Client
  • Subordinate CA ModeVMCA can operate as a subordinate CA with delegated authority from a corporate PKI infrastructure. This allows vCenter to automate the certifiate management just as it could in fully managed mode, however the certs that it generates are trusted as part of the organization
  • Full Custom ModeIn the fully custom mode, VMCA is not used at all and an admin must install and manage all certificates that are presented to the vSphere cluster. This could amount to dozens of certificates that need to be managed

vSGX – Virtualized SGX (Software Guard Extensions)

Virtualized SGX (Software Guard Extensions) uses features of various Intel CPUs that allow a secure location for storing “secrets”, or secrets we use in our applications. Cryptographic keys are a primary use case. However, it could be any kind of information that is sensitive.

In normal communication between the various layers of communication for an application hosted in a guest OS on top of a hypervisor, on physical hardware, each layer can “see” the secret information. The Application talks to guest OS, ESXi sees into the secret and traverses all the way to the hardware. With SGX, each layer is prevented from seeing into the various layers to get to the hardware.

This has a few requirements including the following:

  • VMware vSphere 7 and above
  • Virtual Hardware version 17 and above.
  • Supported Intel CPU
  • Noted limitations including – VMware vMotion will not be able to move the information containing the vSGX information.
SGX-restrictions-as-part-of-the-new-VMware-vSphere-7-security-features-and-improvements VMware vSphere 7 Security Features and Improvements
SGX restrictions as part of the new VMware vSphere 7 security features and improvements (Image courtesy of VMware)

Identity Federation

One of the really cool new features of VMware vSphere 7 is the identity federation apabilities. This includes the ability to have multi-factor authentication included as part of your identity solution. With VMware vSphere 7 Identity Federation, we are now allowed to attach vCenter Server to enterprise identity providers like Active Directory Federation Services (ADFS).

This allows vCenter Server to participate in the same centralized identity sources as other systems. This provides the mechanism used to authenticate to vCenter including 2FA and MFA as end users used for any other solution in the organization.

Identity-federation-with-VMware-vSphere-7-security-features-and-improvements VMware vSphere 7 Security Features and Improvements
Identity federation with VMware vSphere 7 security features and improvements (image courtesy of VMware)

vSphere Trust Authority (vTA)

Another revolutionary new security capability in the vSphere ecosystem with vSphere 7 is the vSphere Trust Authority (vTA). With vTA, you have a tool that ensures your infrastructure is secure by establishing a management cluster that serves as a hardware root of trust for your vSphere infrastructure.

This vSphere cluster is extremely secure, scrutinized heavily from a security standpoint, is isolated outside the normal vSphere cluster infrastructure and has an extremely small number of trusted admins who have access to the environment. This cluster will not run workloads so it can be of a very small hardware footprint.

vSphere-Trust-Authority-included-with-vSphere-7-new-security-features-and-improvements VMware vSphere 7 Security Features and Improvements
vSphere Trust Authority included with vSphere 7 new security features and improvements (Image courtesy of VMware)

When established, the vSphere Trust Authority takes over the distribution of encryption keys from the KMS server. This takes vCenter Server out of the equation of security when it comes to these highly critical keys. This also means that vCenter Server can now be encrypted and protected by KMS as well.

If a host fails attestation, the vTA can without keys from the host. This prevents secure workloads from moving onto that host until the security issue has been resolved.

Improved Lifecycle Management

We may not often think of lifecycle management as part of the overall security tools we use, however, updates and upgrades are an extremely important part of the overall security features used by an organization.

Hackers often exploit known and already patched vulnerabilities found in various platforms. VMware has certainly improved the overall lifecycle management and capabilities with vSphere 7.

With the new vSphere Lifecycle Management tool that is replacing the older vSphere Update Manager, IT admins have a way to control the desired state of the overall vSphere platform. It also allows effectively updating firmware and other platform specific software.

With the new vLCM tool, vSphere 7 lifecycle management helps to

Concluding Thoughts

With all the new VMware vSphere 7 security features and improvements, vSphere 7 is the most secure version of vSphere to date and certainly builds on the intrinsic security posture that VMware has introduced within vSphere.

The new certificate management features, vSGX, Identity Federation, vSphere Trust Authority, and new vSphere Lifecycle Management tool all help to solidify the vSphere 7 security posture of “intrinsic security” built into the platform.

StarWind VSAN