VMware Zero Trust Networking and Architecture Whitepaper

Executive Summary

VMware’s Zero Trust Networking and Architecture Whitepaper lays out actionable recommendations for the adoption of Zero Trust Architecture (ZTA). We provide this set or recommendations in response to Section 3 of the Cyber Executive Order (EO) 14028, which directs agency heads to develop a ZT implementation plan through these guidance, by aligning with the previous ACT--IAC Zero Trust Pillars. The use of this document, while designing your network security can help provide early assurances to begin efforts of deployment and integration with the future 'Final' versions of the OMB, DoD & DHS/CISA ZT guidance that will be finalized in the coming months.  

VMware will continue to offer recommendations on further alignment and strategies for implementation and integration of our solutions against both the drafts and final versions. As an example, VMware will be augmenting our solution alignment and future whitepaper(s) to incorporate those new / enhanced CISA foundational pillars shown below, which unlike the ACT, breakout and include a 'Data' pillar to better facilitate the transition to Zero Trust Security, as well as the OMB/DoD guidance as well.  

VMware Zero Trust Framework & Compliance

VMware’s products and solutions align with the Zero Trust pillars described by a number of the industry’s leading advisories and councils. Keep reading to learn how VMware’s products support the Zero Trust frameworks laid out by the ACT-IAC and previous NIST elements.  

VMware alignment with the ACT-IAC Zero Trust framework

VMware’s products and solutions align with the Zero Trust pillars described in the ACT-IAC Zero Trust whitepaper, dated April 18, 2019.

ACT-IAC Zero Trust Pillar

VMware Solution

Description

User- People/Identity Security

Workspace ONE

Enable ongoing authentication of trusted users. Using Identity and Access Management tools embedded in the platform.

Devices - Device Security

Workspace ONE, Carbon Black, Mobile Threat Defense (MTD)

Reduce the attack surface by enabling least-privilege access to applications after establishing trust. Real-time security posture, use of MDM solutions to perform device-trust assessments.  Continuous verification of endpoint compliance.

Network - Network Security

NSX, Avi Networks, VeloCloud

Move from perimeter-based to segmented and isolated assets on a granular level. Drive firewall capabilities down to the smallest IT asset. Build in capability to protect east/west traffic within a datacenter, and ability to stretch to secondary locations, including cloud service providers in hybrid and/or multi-cloud environments.

Applications

Workspace ONE, Horizon, NSX Carbon Black

Secure and manage application to control technology stack and ensure proper use of authentication. Satisfies the requirements of Zero Trust in an integrated digital workspace solution that is compatible with all types of endpoints and all types of applications. Conditional access control to all applications, data, and endpoints.

Automation

Workspace ONE, Carbon Black, vRealize Suite, VMware Cloud Foundation

Automate the management of user and device interaction. Remove human error element from Cybersecurity given the ability to push out standardized configurations across an environment

Analytics

Workspace ONE, vRealize Suite, NSX, CloudHealth

 

Capture and analyze device and user behaviors. Combined with automation to drive rapid incident response. Uses analytics and machine learning to give you insights into your organization’s dynamic security environment. Is open and extensible, and able to integrate with partner security solutions such as Security Information & Event Management (SIEM).

 

Zero Trust NSBU Matrix for ICT Pillars

The following table depicts the extended Zero Trust Alignment from VMware's Networking & Security Business Unit (NSBU), covering the matrix of the ICT pillars, outside of the EUC components, including elements such as, vRealize / SD-WAN & the NSX suite:

Expand for more details:

 

Zero Trust Pillar(s)

VMware Product(s) Capabilities Features Policy Engine
Analytics        
  NSX Advanced Load Balancer

The NSX Advanced Load Balancer Controller provides comprehensive observability based on closed-loop telemetry and presents actionable insights to make decisions based on application monitoring, end-to-end timing, searchable traffic logs, security insights, log insights, client insights, and more to provide real-time application security insights and analytics provide actionable insights on performance, end-users and security events in a single dashboard with end-to-end visibility.

Application Performance Monitoring, Real-Time Application Telemetry, End-to-End Timing (Client, Load Balancer, Server, Application) NSX ALB Service Engine
  NSX Intelligence

NSX Intelligence is a distributed data collection and security analytics engine accessible via NSX Manager (the NSX management console). NSX Intelligence efficiently collects metadata from hypervisors in an NSX environment and stores the information for later use. NSX Intelligence develops detailed, drill-down application dependency maps that visualize all the workloads and flows in the network, enabling operators to get a bird’s-eye view of their environment. Further, NSX Intelligence automatically recommends firewall security policies based on the observed traffic patterns between applications, radically simplifying the process of operationalizing micro-segmentation and internal firewalling. Finally, NSX Intelligence continuously monitors every traffic flow and allows operators to overlay the policy against the flows, enabling them to easily demonstrate and maintain security policy compliance.

L7 Packet Inspection, Intelligent Security Policy Formulation, Threat Intelligence

vSIP Kernel
  vRealize Network Insight VMware vRealize Network Insight delivers intelligent operations for software-defined networking and security. It helps customers build an optimized, highly available and secure network infrastructure across multi-cloud environments. It accelerates application discovery, migration, network segmentation planning and deployment; enables visibility across virtual and physical networks; and provides operational views to manage and scale VMware NSX, VMware Cloud on AWS, VMware SD-WAN, and many other deployments.

Security Planning, Security Analytics, Network Analytics, Netflow/IPFIX, SNMP, Application Discovery

 
 

VMware SD-WAN

VMware SD-WAN provides monitoring functionality that enables organizations to observe various performance and operational characteristics of VMware SD-WAN Edges and continuously computes a VMware SD-WAN quality score to assess performance of critical voice, video, or data applications at any given time with the ability to alert IT staff. This analysis provides administrators a comprehensive before and after view into application behavior on individual links and the VMware SD-WAN enhancements.

SD-WAN Edge Monitoring, Remote Diagnostics and Administration, Statistics on Quality of Experience (QoE), Transport, and Application Usage

SD-WAN Orchestrator
  Edge Network Intelligence

VMware Edge Network Intelligence is an artificial intelligence for IT Operations (AIOps) solution focused on the enterprise edge, ensuring end user and IoT client performance, security, and self-healing through LAN/WLAN, SD-WAN and secure access service edge (SASE). The solution employs machine learning algorithms and modern big data analytics to process high volumes of data from a wide range of network, device and application sources. In doing so, the solution auto-discovers end-user and IoT devices, automatically establishes baselines, understands every single client interaction and monitors for deviations to provide actionable insights that operations teams can proactively remediate.

AIOps, Big Data, UC Applications, IoT Devices ENI Analytics Engine
  NSX Network Detection and Response

VMware NSX Network Detection and Response maps adversaries’ campaigns to the tactics and techniques outlined by the MITRE ATT&CK Framework, providing coverage and protection across 12 MITRE ATT&CK tactics through network prevention, detection and response capabilities.

Visualization of the entire attack chain (aligned to MITRE ATT&CK), Inspection of Encrypted Traffic and Artifacts

NDR Detection Engine
  vRealize Log Insight

vRealize Log Insight provides intelligent log management for infrastructure and applications in any environment. This highly scalable log management solution delivers intuitive, actionable dashboards, sophisticated analytics, and broad third-party extensibility across physical, virtual, and cloud environments.

SYSLOG, Event Data, Visualization, 5-Tuple Flow Information

 
Applications        
  NSX Advanced Load Balancer

VMware's NSX Advanced Load Balancer provides a comprehensive security stack that includes SSL/TLS encryption, L3-7 ACLs that include both IP-port and uniform resource identifier (URI) based security rules, and rate limiting per app or per tenant. Deep security insights provide real-time monitoring and overall health score for your applications. For example, VMware's NSX Advanced Load Balancer checks if all your security certifications are up to date, detects DDoS attacks, and provides mitigation. The NSX Advanced Load Balancer protects mission critical applications across any environment – on-prem data centers, private and public cloud with its Intelligent Web Application Firewall (iWAF), which helps protect against OWASP Core Rule Set (CRS) attacks and common signature-based vulnerabilities, such as SQL injection and Cross-site Scripting (XSS).

iWAF, DDoS, L3/L4/L7 ACLs, Rate Limiting

NSX ALB Service Engine
  NSX Data Center

With VMware NSX Data Center, security policies can be defined consistently across the entire environment, regardless of the type of application or where it has been deployed. Policies are enforced at the individual workload level, which enables the segmentation of workloads that live on the same physical host without having to hairpin traffic out through an external physical or virtual firewall. This granular level of security is called micro-segmentation and is provided through its service-defined firewall.

The VMware Service-defined Firewall is a distributed, scale-out internal firewall that simplifies and automates both network segmentation and micro-segmentation with an intrinsic security approach and an agentless architecture to enable the extension and enforcement of security policies across multi-data center and hybrid cloud environments and grants ubiquitous control over VM-based and container-based applications, from network- to workload- and process-level enforcement. Because the virtualization infrastructure is built into the software, automating the deployment and enforcement of security policies on both the network and the workload is easy.

VMware facilitates security as part of the application development lifecycle. InfoSec and IT teams have visibility into how applications they are responsible for protecting change over time. Newly provisioned workloads automatically inherit security policies that stay with them throughout their lifecycle. As the application changes, their security policies dynamically adapt to account for the changes. When workloads are eventually deprecated so are their security policies, decreasing policy bloat over time and simplifying management.

Micro-Segmentation, Application-Segmentation, Distributed Firewalling, Gateway Firewalling, Identity Firewalling, Load Balancing

vSIP Kernel
  NSX Distributed IDS/IPS

NSX co-locates the IDS/IPS functionality with the firewall, leading to a single-pass design for traffic inspection. All traffic passes through the firewall first, followed by IDS/IPS inspection depending on configuration. This co-location of IDS/IPS functionality with the firewall also simplifies the expression and enforcement of network security policies. The IDS/IPS module uses signatures, protocol decoders and anomaly detection to hunt for attacks in the traffic flow. If no attacks are present, the traffic is passed back to the firewall for further transport to the destination. On the other hand, if an attack is detected, an alert is generated and logged. The IDS/IPS inspection process on the destination node receiving the traffic is similar. However, operators can choose to forego IDS/IPS inspection at the destination (or equivalently at the source) if they deem IDS/IPS inspection on one end of the traffic flow to be adequate.

Intrusion Detection and Prevention, Distributed analytics, Curated Context-based Signature Distribution, Context-driven Threat Detection, Optimized Traffic Flow, Absolute Coverage for all Traffic, Workload Mobility Support

vSIP Kernel
  VMware SD-WAN

VMware SD-WAN supports the recognition and classification of 2,500+ applications and sub applications without the need to deploy separate hardware or software probes within each branch location. The solution intelligently learns applications and adds them to the cloud-based application database. Services such as firewall, intelligent multipath, and Smart QoS may be controlled through the solution’s application-aware business policy control.

VMware SD-WAN also optimizes traffic over multiple available connections (MPLS, broadband, LTE) to deliver traffic across the network, delivering a better user experience to any location. SD-WAN will dynamically steer traffic to the best available link, and if the available links show any transmission issues, it will immediately apply remediation for jitter and packet loss based on policies to ensure performance of the high-priority applications. VMware Dynamic Multipath Optimization (DMPO) provides automatic link monitoring, auto-detection of provider and autoconfiguration of link characteristics, routing and quality of service (QoS) settings. VMware DMPO delivers sub second blackout and brownout protection to improve application availability. It remediates link degradation through FEC, activating jitter buffering and synthetic packet production.

Assured Application Performance, DMPO, QoS, Business Policy Control, Security Service Chaining

SD-WAN Orchestrator
  NSX Network Detection and Response

VMware NSX Network Detection and Response (NDR) helps security operations teams rapidly detect malicious activity and stop the lateral movement of threats inside your network. NSX NDR ingests signals from built-in and distributed sensors located throughout your environment and is able to detect threats across the MITRE ATT&CK Framework, giving your SOC teams unparalleled visibility into malicious events as they occur.

NSX NDR detects threats in encrypted traffic with novel machine learning models that operate on JA3 hashes and network meta-data. It uniquely analyzes encrypted files at each host through guest introspection before they are written to disk.

AI-powered threat-analysis and detection, Network traffic analysis, Sandboxing, Intrusion Detection and Prevention, NSX Advanced Threat Analyzer, VMware Threat Analysis Unit (VTAU), Distributed Agentless Sensors

NDR Detection Engine
Automation        
  NSX Advanced Load Balancer

The NSX Advanced Load Balancer platform is built on software-defined principles and is 100% REST API based, making it fully automatable and seamless with the CI/CD pipeline for application delivery, enabling a next generation architecture to deliver the flexibility and simplicity expected by IT and lines of business. The NSX Advanced Load Balancer architecture separates the data and control planes to deliver application services beyond load balancing, such as application analytics, predictive autoscaling, micro-segmentation, and self-service for app owners in both on-premises or cloud environments. The platform provides a centrally managed, dynamic pool of load balancing resources on commodity x86 servers, VMs or containers, to deliver granular services close to individual applications. This allows network services to scale near infinitely without the added complexity of managing hundreds of disparate appliances.

Infrastructure-as-Code, RestAPI, Terraform Provider, Ansible Playbook, VMware SDK

 
  NSX Data Center

VMware NSX Data Center enables faster provisioning and deployment of full-stack applications by virtualizing networking and security services and removing the bottleneck of manually managed networking and security services and policies. NSX natively integrates with cloud management platforms and other automation tools, such as vRealize Automation/vRealize Automation Cloud, Terraform, Ansible and more, to empower developers and IT teams to provision, deploy and manage apps at the speed business demands.

Infrastructure-as-Code, RestAPI, Terraform Provider, Ansible Playbook, VMware SDK

 
Network        
  NSX Data Center

VMware NSX Data Center delivers a completely new operational model for networking defined in software, forming the foundation of the software-defined data center (SDDC) and extending to a cloud network. Data center operators can now achieve levels of agility, security and economics that were previously unreachable when the data center network was tied solely to physical hardware components. NSX provides a complete set of logical networking and security capabilities and services, including logical switching, routing, firewalling, load balancing, virtual private network (VPN), quality of service (QoS), and monitoring. These services are provisioned in virtual networks through any cloud management platform leveraging NSX APIs. Virtual networks are deployed non-disruptively over any existing networking hardware and can extend across data centers, public and private clouds, container platforms, and physical servers.

Distributed Routing & Switching, Software L2 Bridging, Dynamic Routing with ECMP, IPv6, Multi-Tenancy, VRF, VPN, Ethernet VPN (EVPN), NAT, IPAM, DNS, Federation, Disaster Recovery

vSIP Kernel
 

VMware SD-WAN

VMware Software-Defined Wide Area Network (SD-WAN) is the application of software based network technologies that virtualize WAN connections to provide agility, performance and reliability for network traffic between remote and branch offices to data centers and the cloud. SD-WAN leverages on-premises or cloud-hosting deployments for management of network devices and employs traffic steering to applications in the data center and the cloud. It combines the bandwidth of broadband with existing WAN connections to more efficiently and cost-effectively connect users to data center and cloud-based applications from any location in the network.

The VMware SD-WAN controller can be used to create virtual network segments to isolate data, including PCI data, to ensure data integrity and for PCI audit compliance. Segmentation also allows for overlapping IP addresses, which makes it easy to incorporate multiple networks into the system.

Transparently forward select traffic to the cloud-based security service based on business-policy definition without any branch-by-branch or application-based configuration and provides for service chaining using an Network Functions Virtualization (NFV) infrastructure for service delivery. The VMware SD-WAN Virtual Edge can be deployed on a virtual customer premises equipment (vCPE).

Network Function Virtualization (NFV), Stateful Firewalling, Micro-Segmentation, Multi-Tenancy, QoS, IPsec, VPN, Routing & Switching, IPv6

SD-WAN Orchestrator
Users        
  NSX Advanced Load Balancer

NSX Advanced Load Balancer enables organizations to configure SSO policies and enforce SAML 2.0 authentication and authorization for back-end HTTP applications.

Virtual Service Policies NSX ALB Service Engine
  NSX Data Center

VMware NSX Data Center provides Identity Firewall functionality for workloads running the Windows operating system allowing administrators to synchronize NSX with Active Directory and create and apply user-based distributed firewall rules to enforce application access based on least-privilege access.

Identity-Firewalling vSIP Kernel

VMware alignment with NIST Special Publication 800-207: Zero Trust Architecture

VMware’s products and solutions align with the Zero Trust tenants cited inside of NIST Special Publication 800-207: Zero Trust Architecture. The following list explains how. Expand the dropdown menu items for more details.

I. All data sources and computing services are considered resources.

A unified endpoint management system looks at the endpoint (desktop/laptop, mobile, or IoT) and determines if that endpoint is a compliant resource Also, the ownership and management scope of the endpoint resource must be considered individually. If the endpoint is trusted, then user identity is checked and access to the resource is granted. Examples of endpoint resources can be devices, specific blocks of structured or unstructured data, identity objects and systems including Workspace One, applications or the transport zones that connect them.

II. All communication is secured regardless of network location. Network location does not imply trust. Access to individual enterprise resources is granted on a per-session basis.

Unified Access Gateway is a component within a Workspace ONE and VMware Horizon deployment that enables secure remote access from an external network to a variety of internal resources per dynamic access policies regardless of network location.

  • Per-application tunneling of native and web applications on mobile and desktop platforms to secure access to internal resources through the VMware Tunnel service. This unique feature helps to reduce the attack surface by enlisting VPN only on the application in use, instead of on the entire endpoint.
  • Access from VMware Workspace ONE Content to internal file shares or SharePoint repositories by running the Content Gateway service.
  • Reverse proxying of web applications.
  • Identity bridging for authentication to on-premises legacy applications that use Kerberos or header-based authentication.
  • Secure external access to desktops and applications on VMware Horizon Cloud Service on Microsoft Azure, and VMware Horizon 7 on premises.

Finally, the communication method must be valid, and encryption must be in place. To reduce the attack surface further, each application can have a single secure tunnel into the data center.

Workspace ONE empowers IT and InfoSec to provide users with Zero Trust access to any application on any endpoint. It combines conditional access, unified endpoint management, and machine-learning-based risk analytics. Workspace ONE continuously verifies user contexts and endpoint compliance prior to granting least-privilege access to cloud-based, on-premises, and virtual applications.

III. Trust in the requester is evaluated before access is granted.

Contextual Policies control authentication with conditional access policies based on device compliance state, user authentication strength, data sensitivity, user location and more.

Workspace ONE Access handles conditional access through a policy engine. After the user selects an application from Workspace ONE Intelligent Hub, Workspace ONE Access verifies the user’s identity, rejects the request, accepts the request, requires multi-factor authentication, or requests remediation before it grants access.

IV. Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioral attributes.

Continuous verification of endpoint compliance and conditional access to applications serve to reduce the attack surface. With these in place, we can ensure that trust is continuously verified, and access is allowed only when the endpoint, user and connection are fully trusted.

Additionally, VMware provides a Unified Access Gateway, which acts as an enforcement point to control and secure access to applications and resources. Unified Access Gateway can deploy different edge services depending on the type of access requested. These edge services include per-application VPN, Content Gateway, Web Reverse Proxy (WRP), and VMware Horizon Edge Service. Per-application VPN limits access to only the specific application on the endpoint that is requesting data, without exposing enterprise data to anything else on the endpoint. Virtual applications and desktops are more secure.

By supporting secure connections to the virtual infrastructure by means of the Horizon Edge Service, the capabilities of Unified Access Gateway can also extend to applications and data behind the firewall.

V. The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible. No device is inherently trusted.

If the identity of the user, compliance of the endpoint, or deviations from baseline behavior change, then Workspace ONE triggers automated remediation. Instead of cutting off the user completely, Workspace ONE gives the user various options to remediate the situation, such as multi-factor authentication. The user is quarantined only temporarily while the problem is remediated, and then access is restored.

The user’s selection from the Workspace ONE Intelligent Hub triggers a check of endpoint compliance through Workspace ONE Unified Endpoint Management. Workspace ONE Unified Endpoint Management is a cross-platform solution for desktop, virtual, and mobile endpoints, with any operating system.

If a user is at risk, or an endpoint is out of compliance, Workspace ONE Intelligence gives insights to IT and InfoSec and allows the setup of automation rules to remediate the problem so that the user can access the applications and data that they need, in real time. This approach is not just reactive, but proactive. Accreditation

NSX uses micro-segmentation to secure east-west traffic for applications and desktops in the data center and the cloud. NSX thus reduces the attack surface by micro-segmenting the entire architecture.

VI. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning, and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.

To continuously verify trust and allow access, Workspace ONE provides risk analytics and ongoing monitoring of users, endpoints, applications, and transport. The Workspace ONE platform develops contextual risk assessments for endpoints, users, and networks Integrates third-party security products Provides insights, automated remediation, and orchestration. If the identity of the user, compliance of the endpoint, or deviations from baseline behavior change, then Workspace ONE triggers automated remediation. Instead of cutting off the user completely, Workspace ONE gives the user various options to remediate the situation, such as multi-factor authentication. The user is temporarily quarantined while the problem is remediated, and then access is restored.

VII. The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture.

Workspace ONE Intelligence provides integrated insights into threat data, device compliance, and risk analytics. Use these analytics to identify and mitigate security issues in real-time.

  • Enable continuous verification with user risk score based on device context and user behavior.
  • Use real-time and continuous monitoring of your entire digital workspace to proactively secure the known and unknown
  • Automate remediation using the powerful decision engine.

Workspace ONE can enable a full Zero Trust architecture. In addition, the open, flexible, extensible platform allows you to integrate your current third-party security and IT service management (ITSM) investments. VMware has an extensive partner ecosystem for the Workspace ONE platform called the Workspace ONE Trust Network. 

Zero Trust Logical Architecture

VMware’s products and solutions also fit into the logical design of a Zero Trust Architecture as documented in the latest NIST SP 800-207: Zero Trust Architecture. 

NIST Zero Trust Architecture maps with VMware products

Expand for more details:

Architecture Component

Product Action

Vendor Response

Vendor Comments

Policy Engine

Implements/ Enforces

Workspace ONE

Workspace ONE Access handles conditional access through a policy engine. After the user selects an application from Workspace ONE Intelligent Hub, Workspace ONE Access verifies the user’s identity, rejects the request, accepts the request, requires multi-factor authentication, or requests remediation before it grants access.
The solution allows dozens of access policy combinations that leverage device enrollment, network, SSO, automated device remediation and third-party information to establish levels of trust, enabling intelligent access decisions.
 

Policy Admin

Implements/ Enforces

Workspace ONE

Workspace ONE Access performs the act of authenticating users in our solution. Workspace ONE Access supports many types of authentication, including RADIUS, RSA SecurID, passwords, SAML authentication using external identity providers, and more.
Organizations can easily build and adjust access policies that require different levels of authentication, including multi-factor authentication if needed, but at its foundation, our Zero Trust solution is built on certificate-based authentication.
Workspace ONE Access supports multiple different methods of certificate-based authentication:
Traditional certificate-based user authentication methods used by PC and Mac devices
Our own certificate-based user authentication solution for iOS and Android devices, called Mobile SSO
Certificate-based device authentication, for validating the device itself
Mobile SSO technology provides the ability to sign in to an app on a mobile device once and gain access to all entitled applications, including SaaS apps. VMware leverages open standards such as SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) to authenticate a user between the identity provider, namely, Workspace ONE Access, and the service provider, such as SaaS apps in the cloud. By eliminating the requirement of entering passwords to access a resource, this technology addresses security concerns and password-cracking attempts as well as offering an SSO experience for users.

Subject

Implements /Enforces

Workspace ONE

See Above

System

Implements/ Enforces

Workspace ONE

See Above

Policy Enforcement Point

Implements/ Enforces

Workspace ONE

VMware Unified Access Gateway (UAG) is a security platform that provides edge services and access to defined resources that reside in the internal network. It acts as the security gateway for VMware Workspace ONE and VMware Horizon deployments, enabling secure remote access from an external network to a variety of internal resources.
UAG supports additional use cases, including
Per-application tunneling of native and web applications on mobile and desktop platforms to secure access to internal resources through the VMware Tunnel service. This unique feature helps to reduce the attack surface by enlisting VPN only on the application in use, instead of on the entire endpoint.
Access from VMware Workspace ONE Content to internal file shares or SharePoint repositories by running the Content Gateway service.
Reverse proxying of web applications.
Identity bridging for authentication to on-premises legacy applications that use Kerberos or header-based authentication.
Workspace ONE Intelligent Hub is the portal for users to access applications to accomplish their daily work. Each of the user’s endpoints can have the portal agent installed, customized with the items the user has permission to access. The user signs in once with secure single sign-on (SSO) and may use whatever items are offered on their portal. And the applications can be integrated through SSO so that data flows from one application to another. The user’s selections from Workspace ONE Intelligent Hub trigger security checks by Workspace ONE Access and Workspace ONE Unified Endpoint Management.

Enterprise Resource

Implements/ Enforces

NSX

NSX uses micro-segmentation to secure east-west traffic for applications and desktops in the data center and the cloud. NSX thus reduces the attack surface by micro segmenting the entire architecture.

CDM System

Supports/ Enforces

Workspace ONE

This gathers information about the enterprise asset’s current state and applies updates to configuration and software components.

Industry Compliance

Implements/ Enforces

Workspace ONE

The user’s resource selection from the Workspace ONE Intelligent Hub triggers a check of endpoint compliance through Workspace ONE Unified Endpoint Management. Workspace ONE Unified Endpoint Management is a cross-platform solution for desktop, virtual, and mobile endpoints, with any operating system.
Workspace ONE Intelligence is a cloud service that provides risk analytics, insights, and automated remediation and orchestration. Workspace ONE Intelligence •  Continuously verifies risk through machine learning •  Detects user behavior anomalies in context, such as a rapid jump from one geographical area to another •  Creates user and endpoint risk scores •  Uses security algorithms that are dynamic, not static •  Reduces security-alert fatigue by gathering data from many sources and enforcing endpoint compliance in the cloud, in real time If a user is at risk, or an endpoint is out of compliance, Workspace ONE Intelligence gives insights to IT and InfoSec and allows the setup of automation rules to remediate the problem so that the user can access the applications and data that they need, in real time. This approach is not just reactive, but proactive.

Threat Intelligence

Implements/ Enforces

Workspace ONE, Carbon Black

Workspace ONE Trust Network provides a framework of trust by taking advantage of APIs built on the Workspace ONE platform. These APIs allow a rich ecosystem of security solutions to communicate with Workspace ONE and ultimately provide the aggregated view that administrators want for simplifying security and management. By connecting security solution silos, organizations can leverage their existing investments to exponentially improve continuous monitoring and risk analysis for faster response times. This results in a predictive security strategy, based on trends and patterns, which can scale with the deployment.

Activity Logs

Implements/ Enforces

Workspace ONE, vRealize Suite

By aggregating, correlating, and analyzing data from multiple internal and external sources, VMware Workspace ONE Intelligence delivers out-of-the-box as well as advanced customer dashboard and reports to help organizations visualize the state of the digital workspace. It provides insights into the security posture, impact of new security threats, in context risk analytics, device and OS compliance, and the state digital
employee experience.

Data Access Policy

Implements/ Enforces

Workspace ONE

By aggregating, correlating, and analyzing data from multiple internal and external sources, VMware Workspace ONE Intelligence delivers out-of-the-box as well as advanced customer dashboard and reports to help organizations visualize the state of the digital workspace. It provides insights into the security posture, impact of new security threats, in context risk analytics, device and OS compliance, and the state digital employee experience.

PKI

Supports/ Enforces

Workspace ONE integration w/third party PKI

Workspace ONE UEM can act as a SaaS certificate authority (CA) for customers without an existing PKI. For customers with an existing PKI, Workspace ONE UEM can also act as a subordinate CA. Acting as a CA allows customers to take advantage of advanced mobile security features supported by both Workspace ONE UEM and mobile device platforms, such as VPN on-demand, certificate-based Wi-Fi authentication, and certificate-based Exchange ActiveSync authentication – all without the need to set up and manage an in-house PKI.
Workspace ONE UEM also integrates directly with certificate authorities, public key infrastructure (PKI) or third-party providers, in both cloud and on-premises deployment models. Administrators can configure certificates for several systems, including Wi-Fi, VPN and Microsoft EAS, and can automatically distribute certificates to devices without user interaction.

ID Mgt.

Supports/ Enforces

Workspace ONE

Workspace ONE Access acts as a broker to other identity stores and providers—including Active Directory (AD), Active Directory Federation Services (ADFS), Azure AD, Okta and Ping Identity— that your organization may already be using to enable authentication across on-premises,
software-as-a-service (SaaS), web and native applications without the need to rearchitect the identity environment.

SIEM System

Supports/ Enforces

Workspace ONE

Logs collected in intelligence and Log Insight.

Zero Trust Operationalization

VMware’s products and solutions can be implemented and operationalized for Zero Trust as referenced in sections 3.1 and 3.2 of NIST SP 800-207: Zero Trust Architecture.

 

Device Agent/ Gateway Based

Enclave-Based

Resource-Portal Based

Device Application Sandboxing

Identity Governance

Workspace ONE

Workspace ONE

Workspace ONE

VMs, Containers, NSX, VMware SDDC, Workspace ONE

Micro-Segmentation

NSX

NSX

NSX

VMs, Containers, NSX, VMware SDDC, Workspace ONE

Network & SDN Perimeters

NSX

NSX

NSX

VMs, Containers, NSX, VMware SDDC, Workspace ONE

Implement NIST 800-53 security controls with VMware

VMware has taken a programmatic approach to standards compliance by publishing prescriptive documentation that delivers to agencies data center-level designs to deploy and configure our complete Software Defined Data Center (SDDC) and End User Computing (EUC) software in a wide range of scenarios, with detailed operational specifications. We call these blueprints VMware Validated Designs (VVDs) and freely publish them for our customers’ use. These VVDs can be deployed by agencies themselves, by VMware Professional Services Organization (PSO), or by VVD-accredited partners. We work with acknowledged compliance partners such as Coalfire Systems, Inc. and Tevora to publish applicability guides to assess compliance of the VMware stacks to multiple standards such as CJIS, HIPAA, and NIST 800-53. These documents are available to agencies and their partners to assist in achieving and maintaining compliance of your systems. With our VMware Cloud Foundation (VCF) offering, VMware has carried this farther, by enabling the automation of deployment, management, and maintenance of these systems to both public and private clouds.

The specific mapping of the VMware SDDC and EUC products to NIST 800-53 can be requested through engagement with a VMware sales representative or from a Federalized cloud-hosting standpoint through the GSA FedRAMP front door request tool for federal agency ATO portal and the security package which includes this extensive detail regarding the Security Assessment Results/Report and Readiness Assessment Report:

VMware alignment with Zero Trust pillars mapped to DHS CDM capabilities

VMware’s products and solutions align with the Zero Trust pillars when mapped with the DHS Continuous Diagnostics and Mitigation (CDM) capabilities.

VMware products map to DHS CDM capabilities

Expand for more details:

Zero Trust Pillars

CDM Capabilities

Description

Vendor Product

Users

Manage Trust in People Granted Access

Assess the inherent risk to an agency from insider attacks for the purposes of granting trust to users and authorizing each user for certain attributes

Workspace ONE, NSX, Carbon Black, vSphere

Manage Security-Related Behavior

Ensures that authorized users with or without special security responsibilities exhibit the appropriate behavior for their role

Workspace ONE, vSphere

Devices

Hardware management

Discover unauthorized or unmanaged software on a network

Workspace ONE

Software management

Discover unauthorized or unmanaged software on a network

Workspace ONE

Configuration Settings Management

Ensures that authorized security config benchmarks exist and certain acceptable value for each relevant configurable setting for each IT asset type

Workspace ONE

Vulnerability Management

Discover and support remediation of vulnerability in IT assets on a network as defined in NIST SP 800-53 controls

Workspace ONE, Carbon Black

Network

Credentials and Authentication Management

Ensures that only proper credentials are authenticated to systems services and facilities

Workspace ONE, NSX

Managing Priv user access (E.g. PAM) capability

Provides an agency the assurance that users and systems have access to and control of only the appropriate resources the capability identifies access beyond what is needed to meet business requirements

Workspace ONE, NSX

Network Protection

Limits, prevents, and/or allows the removal of unauthorized network connections/access via devices such as firewalls that sit at a boundary and regulate the flow of network traffic. It also includes the use of encryption to protect traffic that must cross logical boundaries and addresses physical access systems that limit unauthorized user physical access to Federal Government Systems

Workspace ONE, NSX

Applications

Credentials and Authentication Management

Ensures that only proper credentials are authenticated to systems services and facilities

Workspace ONE

Managing Account Access Capability

Provides an agency the assurance that users and systems have access to and control of only the appropriate resources the capability identifies access beyond what is needed to meet business requirements

Workspace ONE, NSX

Design and Build Security

Describes preventing exploitable vulnerabilities from being effective in the software/system while in development or deployment

Workspace ONE, NSX

Automation

Manage Events

Describes preparing for events/incidents, gathering appropriate data from appropriate sources, and identifying incidents through analysis of data

Workspace ONE, NSX, vRealize Suite

Operate, Monitor, and Improve

Describes the audit data collection and analysis, incident prioritization and response and post-incident activities (e.g. information sharing)

Workspace ONE, NSX, vRealize Suite

Analytics

Data Protection

Provides data protection functions through crypto, masking, obfuscation, or access control, the CDM capability includes user and entity behavioral analytics that support detection of suspected compromised accounts (people or application) endpoint devices, data exfiltration and insider access abuse (including excessive or unauthorized access to data, functions and priv abuse) and provide context for security investigations

vSAN, NSX, Workspace ONE

Data

Data Discovery and Classification

Supports data protection functions through data identification, data classification and data tagging

Workspace ONE, vSAN

Data Loss Prevention

Provides data protection functions through data loss prevention capabilities, to include data protection policy management and data protection security orchestration

Workspace ONE, vSAN, Carbon Black

Data Protection

Provides data protection functions through crypto, masking, obfuscation, or access control, the CDM capability includes user and entity behavioral analytics that support detection of suspected compromised accounts (people or application) endpoint devices, data exfiltration and insider access abuse (including excessive or unauthorized access to data, functions and priv abuse) and provide context for security investigations

Workspace ONE, Carbon Black

Data Spillage

Provides data breach/spillage response actions

Workspace ONE, Carbon Black

 

Summary and Additional Resources

This whitepaper provides details about how VMware products and solutions align with the tenants and architecture of Zero Trust, as defined by industry-leading publications.

For details about controls, refer to the following appendices:

About the Author and Contributors

Andrew Osborn is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He has over 20 years’ experience in the IT Industry, including the last 8 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Andrew received an MIS degree from University of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX. He'll be contributing to VMware’s Tech Zone to provide more tailored messaging for Federal, State, Local & Education (SLED) solutions from VMware EUC.

Changelog

The following updates were made to this guide:

Date

Description of Changes

2022/03/24
  • Added Zero Trust NSBU Matrix for ICT Pillars table.

2021/09/09

  • Guide was published.

Feedback

Your feedback is valuable. To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Horizon Workspace ONE Carbon Black Cloud Horizon Unified Access Gateway Workspace ONE Access Workspace ONE Intelligence Workspace ONE UEM Document Overview Intermediate Design Secure Remote Access Zero Trust Public Sector