For VMware Cloud Foundation implementations, post-deployment, security must be handed over to a dedicated team to augment and monitor the security posture. Attack vectors and compliance guidelines are constantly evolving so the information provided is often used to establish a baseline, not an absolute, or complete picture.

NIST 800-53 Revision 5, risk rating Moderate, forms the security baseline used to evaluate VMware Cloud Foundation. NIST 800-53 is the baseline because of its vast array of controls and because it is often used by other regulations as part of their reference framework.

NIST is a risk-based framework, which requires each organization to assess their own risk posture and identify applicable controls. The

Compliance Kit for VMware Cloud Foundation

does not remove this step. The VMware Cloud Foundation security design and compliance mappings inform the reader of both design decisions and security configurations.

The VMware Cloud Foundation security design is not enough on its own. Each organization must have a series of supporting security architecture, technology, processes, and people to evaluate. Applications, workload domains, software-defined networking topology, customer data, privacy, and myriad other factors must be evaluated as part of the overall security architecture.

Super users of the system inherit various technologies and typically work with security specialists to implement controls effectively. VMware Cloud Foundation has evaluated many design decisions that are incorporated with the overall design as outlined by VMware Validated Design architecture guides.

Subsequent deployments benefit from post-implementation security health checks to enhance the organizations security posture as it relates to the VMware Validated Design used in conjunction with VMware Cloud Foundation.