Defend Your Data, Defend Your Infra: Automated Security in VMware vSphere

How to secure and defend your virtualization infrastructure with IT best practices and proven security automation techniques.

This post was co-written with me by Joanna Delaporte, a colleague and fellow Solutions Architect from Red Hat.

As organizations grow and evolve, so does the need for a secure and compliant data center or cloud strategy. With yet another ESXi ransomware targeted incident, it's clearer than ever that data center security is a top priority. How do you ensure your virtual machines, storage, and networking resources are protected? There’s several options including best practices of IT security, tools internal to VMWare, and external tools to help secure your virtual environment on-prem, in the cloud, or across both.

Most of this advice will be true for any environment, but we’ll mainly focus on VMWare vSphere and its suite of products in this post. Also, we will focus primarily on server & infrastructure security.

General IT Security Best Practices for a Better Security Posture

Investigate your workflows from prevention to threat response. Automate as much as possible, so the work gets done instead of delayed.

Prevention includes steps such as standardizing your operating systems and their deployment (and decommissioning!), and utilizing cloud management solutions for consistency and change control. Prevention also includes tracking the enterprise’s system inventory accurately, using security awareness tools, practicing credential rotation, and executing planned or unplanned patch events.

Threat response starts with awareness, and leveraging event-driven automation tools for immediate response. Real-time monitoring tools like Splunk and Datadog can help you stay ahead of potential security threats when combined with Ansible, while security-focused endpoint solutions like CrowdStrike can detect and resolve advanced attacks early on in the process.

With integration of monitoring, security scanning, and last-mile automation tools, you can maintain continuous security across your entire environment.

  1. Regularly update antivirus software on servers and consider implementing an EDR (Endpoint Detection and Response) solution to proactively stop the latest malware based attacks.
  2. Conduct regular backups of important data and keep backup copies in a secure location, such as an off-site server or cloud storage. Do not host your backups on the same SAN or drive as the main production data.
  3. Monitor network activity for any suspicious activity, and take immediate action if any malicious activity is detected. Use an automation tool to automate the remediation response faster than any human could.
  4. Implement multi-factor authentication, access controls, and least privileged access to add extra layers of security to all logins and transactions including your VMWare/hosting environment.
  5. Use encryption to secure sensitive data, both in transit and at rest.
  6. Regularly assess your security posture using security audits, vulnerability scans, and penetration tests.
  7. Keep OS and third party software up to date and apply patches promptly to address any known vulnerabilities. Most ransomware attacks target long-known vulnerabilities and not zero-day vulnerabilities.
  8. Consider using threat intelligence services to stay informed of the latest threats and how to defend against them.
  9. Invest in security tools, such as firewalls, intrusion detection systems, and data loss prevention tools, to help protect against potential threats.
  10. Regularly assess the security of third-party vendors and service providers, and ensure that they are taking appropriate measures to protect your data.
Where do they host your data?
What security controls do they have in place?
Who has access to your data?
When do they do patching? How often?
Do you have a Written Information Security Policy (WISP)? How do your employees know how, where, when, and what to respond when they see something?

Tools Sysadmins Can Use to Protect VMWare Using Built-in vSphere Features

The VMWare vSphere suite, having been around for 20 or so years, offers a wide range of tools and features for encryption and security in your environment, some of my favorites and what I’ve used in the past are:

  1. vSphere Data Protection (VDP): The main backup and recovery solution that integrates with the vSphere suite to protect virtual machines, providing encryption of data both in transit and at rest.
  2. vSphere Encryption: This provides at-rest encryption of virtual machine disks and supports the encryption of vSAN and vSphere Virtual Volumes.
  3. vSphere Certificate Manager: A tool that enables you to manage and replace the default certificates used by vCenter Server, ESXi hosts, and other vSphere components with custom signed certificates.
  4. vSphere Trust Authority: A security solution that enhances the security of virtual machines by utilizing hardware-based key generation and management.
  5. vSphere Secure Boot: This cool feature ensures the authenticity of the ESXi boot process, making it much more difficult for any malware to modify the boot process or install persistent malware in the host system.
  6. vSphere Firewall: A rudimentary built-in firewall in the ESXi host that provides a configurable firewall set of rules to protect the virtual infrastructure at a basic level. Note this does NOT replace the need for a traditional firewall.
  7. vSphere Authentication Proxy: This is an authentication proxy for ESXi hosts that provides secure authentication for hosts in untrusted Microsoft AD domains.
  8. vSphere NSX: Network virtualization platform that enables micro-segmentation, secure multi-tenancy, and several options for network automation in the data center. Most small shops won’t use or have access to this, but it comes in handy in the larger enterprise data centers I’ve seen.
  9. vSphere Networking: A set of security features that include support for virtual switching, distributed firewall, and network micro-segmentation for footprints smaller than or in addition to NSX.
  10. vSphere Role-Based Access Control: An advanced security feature that enables administrators to define and manage fine-grained access control for vSphere objects based on user roles.

VMWare's built in security tools such as secure networking, secure boot, micro-segmentation, layered access controls, and encryption, form a solid foundation for safeguarding your virtual machines. However, as the threat landscape changes and infrastructure grows increasingly complex, it's very critical to go beyond these basics.

Image: A VMWare Datacenter with no RBAC, no encryption, no security policy, last patched 2 years ago, heading into a ransomware event. Source: Creative Commons

In short, while VMWare's built-in security tools are a great start, they're just the tip of the iceberg. Even worse, without just that bare minimum configured, you're on an ill fated ship in 1912 heading right for that iceberg. To truly protect your virtual machines in today's world, you need a multi-layered approach that combines the right tools and best practices as mentioned above.

Cybersecurity is Like Building a Castle

The castle walls represent the basic security measures such as firewalls, antivirus software, and access controls. However, just like a castle needs various defensive mechanisms such as moats, drawbridges, and guards to be truly secure, a modern data center or cloud environment also requires a multi-layered approach to security. This includes standardizing operating systems and images, implementing event-driven automation tools, and utilizing security-focused solutions to detect and respond to threats.

Image: What your datacenter COULD be with an automated, continuous security posture. Source: Creative Commons + Microsoft Paint

By taking a comprehensive approach to security, an organization can protect its valuable data and assets, just as a well-built castle can protect its inhabitants from potential invaders. Just like castles were built to withstand the weapons and tactics of their time, a strong security posture must adapt and evolve to stay ahead of emerging threats.

While the built-in security tools in the VMWare suite provide a strong foundation for securing virtual machines, additional tools and best practices are necessary to maintain a continuous security posture in modern data centers and cloud environments. By implementing a comprehensive security strategy, organizations can protect themselves against potential threats and maintain compliance with industry and regulatory requirements.

Using Event-Driven Ansible to maintain Security Posture and Compliance

As anyone who’s read this blog knows by now, we like Ansible in this house, so I’m going to dive into a few Ansible-specific tips below:

  1. Software patch management: Ansible can be used to automate the deployment of software patches to all virtual machines in the VMware environment, from OS patches, third-party patches, and VMWare host patches, it can do it all.
  2. Integrating with SIEMs: Ansible can also be used to integrate with SIEMs like Splunk/Datadog to collect security data, analyze it, and take appropriate actions in real-time.
  3. Continuous Security Posturing: Using Event-Driven Ansible, security alerts from CrowdStrike can be automatically responded to instantly, without any manual intervention, in an automated fashion you see fit. You can use Ansible Rulebooks to determine if, when, and how a perceived threat will be handled automatically and when to notify you that it needs human intervention.
  4. Automating incident response workflows: Ansible can be used to automate incident response workflows, ensuring that all incidents are responded to in a consistent, timely manner in addition to logging and reporting the incident wherever needed.
  5. Automating user account management: Ansible can be used to automate the creation, modification, and deletion of user accounts, ensuring that all users have the necessary access to systems and data. This is critical in preventing unnecessary access from stale accounts, or accounts with group memberships where there shouldn’t be.
  6. Integrating with ServiceNow: Ansible can also be used to integrate in several ways with ServiceNow for ticketing and response, allowing all security incidents to be tracked and resolved in a single centralized location.
  7. Automating your backup and recovery: Data backups can be quarterbacked by Ansible, ensuring all important data is regularly backed up, backups can be tested, and quickly recovered in the event of an attack.
  8. Automating security audits: Ansible can be used to automate security audits, ensuring that all systems are regularly assessed for vulnerabilities and that all security policies are being followed.
  9. Scalability: Ansible is as strong as an ox, able to manage large data centers with ease. Whether you have a few virtual machines or thousands, Ansible has got you covered.
  10. Ease of Use: Ansible is user-friendly, making it accessible to a wide range of IT professionals. It's like having a helpful friend by your side, guiding you every step of the way. It’s never been easier with the introduction of Project Wisdom and tools like ChatGPT as well.

The recent ESXi ransomware targeted incident should serve as another wake-up call for the importance of data center security and compliance. These tools can be the armor that protects your data center from cyber attacks and data breaches, just like a knight protects a castle.

In conclusion, continuous automated security posturing is the most in depth answer to your data center security and compliance needs. With automated compliance audits, continuous security posture, instant self-remediation capabilities, scalability, ease of use, and protection against threats such as the most recent in a long history of ESXi ransomware targeted incidents, Ansible can be the ultimate quarterback for a secure and compliant data center or hybrid-cloud. Don't wait any longer, don’t wait for any signs. Go into work tomorrow and improve your security posture as if your job depends on it – one day it just might.

Disclaimer: Michael and Joanna are both Solutions Architects at Red Hat. All statements are their own and not a statement of an employer.