Just entered my mailbox, there is a new rev of the vSphere 5.1 hardening guide which was spoken about on the last Virtualization Security Podcast. This version of the hardening guide adds a much needed new feature: Profiles. Profiles define the level of security requirements based on small and medium business, enterprises, and government agencies. There is a public review for the guide over the next two weeks, so if you want to comment or read the latest draft of the vSphere hardening guide please visit http://communities.vmware.com/docs/DOC-22783.
Given the introduction of profiles some of the security hardening suggestions have also been revised and updated to meet requirements ofÂ your level of security. No longer do you need to practice draconian measures but can meet your existing requirements. Just map your requirements to the specific profile and follow that profile’s guidance.
All in all, this is a fairly major improvement in the hardening guide. There is more to do of course, regarding scope of the guide, but some of that falls into operational issues more than actual hardening of the environment. I still worry about the connections between components and eventually I expect the guidance to cover all these requirements.
Please remember that the lowest hanging fruit of virtualization security, regardless of hypervisor, is to protect your management constructs!