About Configuration Hardening

Configuration hardening allows you to improve the security posture of your vSphere, Kubernetes, AWS, or NSX-T Data Center environment by hardening the configuration to meet either your company's specific security policy, industry best practices such as CIS or NIST, or compliance standards such as PCI or HIPAA. By automating the hardening process, you can reduce your operational burden during a compliance audit.

With CloudControl, you can: 

  • Create and customize templates to use in configuration hardening checks.
  • Assess and remediate your environments against the configuration hardening checks defined in the templates.
  • Review dashboards, reports and alerts to monitor the results of assessments and remediations.

About Templates

CloudControl uses templates to support all Configuration Hardening activities. CloudControl supports the following types of templates: 

  • Catalog templates—Read-only collection of hardening operations for each cloud type, for example, vSphere operations catalog or Kubernetes operations catalog.
  • System templates—Read-only collection of operations derived from a catalog template for a given compliance standard, for example, the vSphere - HIPAA Security Standards template is derived from the vSphere operations catalog template.

  • Custom templates—Templates created by users. In most cases, they are copied or cloned from existing system or catalog templates. Custom templates can be modified and used in configuration hardening policies.

    Note: CloudControl also includes sample custom templates that can immediately be used in a policy. NSX-T does not have a sample custom template.

Templates can contain both assessment and remediation hardening operations. We recommend that you review all operations in the template to ensure that any parameter values are set to those that appropriate for your infrastructure requirements.

About Policies

Configuration Hardening Policies are used to run custom templates. Each policy associates a template with one or more resources or tag-based resource configurations, and can be run manually or as a scheduled activity. Policies can either assess or remediate a resource, but cannot do both.