Book Image

VMware vCloud Security

Book Image

VMware vCloud Security

Overview of this book

Security is a major concern, in particular now that everything is moving to the cloud. A private cloud is a cloud computing platform built on your own hardware and software. The alternative is to deploy the services you need on a public cloud infrastructure provided by an external supplier such as Amazon Web Services, Rackspace Cloud, or HP Public Cloud. While a public cloud can afford greater flexibility, a private cloud gives you the advantage of greater control over the entire stack. "VMware vCloud Security" focuses on some critical security risks, such as the application level firewall and firewall zone, virus and malware attacks on cloud virtual machines, and data security compliance on any VMware vCloud-based private cloud. Security administrators sometimes deploy its components incorrectly, or sometimes cannot see the broader picture and where the vCloud security products fit in. This book is focused on solving those problems using VMware vCloud and the vCloud Networking and Security product suite, which includes vCloud Networking and Security App, vShield Endpoint, and vCloud Networking and Security Data Security. Ensuring the security and compliance of any applications, especially those that are business critical, is a crucial step in your journey to the cloud. You will be introduced to security roles in VMware vCloud Director, integration of LDAP Servers with vCloud, and security hardening of vCloud Director. We'll then walk through a hypervisor-based firewall that protects applications in the virtual datacenter from network-based attacks. We'll create access control policies based on logical constructs such as VMware vCenter Server containers and VMware vCloud Networking and Security security groups but not just physical constructs, such as IP addresses. You'll learn about the architecture of EPSEC and how to implement it. Finally, we will understand how to define data security policies, run scans, and analyze results.
Table of Contents (13 chapters)
VMware vCloud Security
Credits
Foreword
About the Author
Acknowledgement
About the Reviewers
www.PacktPub.com
Preface
Index

vCloud Director security


VMware vCloud Director has been designed to be a really secured environment right from the bottom to the top layers. However, it is up to the vCloud Director administrators how they can use security roles, and the LDAP integration to keep VMware vCloud secure. However, this was based in vCloud Director Version 1.5.

The vCloud Director security guide is available at http://www.vmware.com/files/pdf/techpaper/VMW_10Q3_WP_vCloud_Director_Security.pdf, which covers in detail how to address the security needed for specific environments.

If you look at the vCloud Director Security model and see how a user can be identified, you will see that user identification can happen from five possible locations and those are:

  • Locally defined in vCloud Director (not desirable from a security standpoint)

  • Imported users from a Lightweight Directory Access Protocol (LDAP) server into vCloud Director

  • Locally defined users in each organization (not desirable from a security standpoint)

  • Imported users from an LDAP server into a specific organization

  • Imported users from either the VMware vSphere identity provider (IdP) or the external identity provider (IdP)

System administrators have been defined at the system level, and they carry full system-level access.

As VMware vSphere, vCloud Director also uses roles and permissions to determine what actions a user can perform in an organization. vCloud Director comes with a number of predefined roles with specific rights. System administrators and organization administrators have the ability to assign each user or group a role. It is possible to have the same user imported into different organizations from one LDAP system. That user can then be assigned different rights in each organization if desired. System administrators can also create roles and modify existing ones. Also all the roles can be modified by the system administrator. They can also create custom roles.

By default, vCloud Director ships with some predefined roles and those are:

  • System Administrator

  • Organization Administrator

  • Catalog Author

  • vApp Author

  • vApp User

  • Console Access Only