The vSphere platform is an inherently secure environment from a technical standpoint, with a minimal hypervisor footprint, APIs for monitoring that eliminate the need for third-party software on the host, secure syslog activity, Active Directory integration, and more. There are however several guidelines for securing a vSphere implementation. See the vSphere hardening guide for detailed configurations.

For a detailed discussion of security considerations for the SDDC core layer, see vSphere Security.

Virtual machines are the containers in which applications and guest operating systems run. By design, all VMware virtual machines are isolated from one another. This isolation enables multiple virtual machines to run securely while sharing hardware and provides both their ability to access hardware and their uninterrupted performance.

If an ESXi host is accessed through vCenter Server, it is typical to protect vCenter Server using a firewall. This firewall provides basic protection for the network.

The network can be one of the most vulnerable parts of any system. The virtual machine network requires as much protection as its physical counterpart. Virtual Machine network security can be enhanced in several ways, including through the use of virtual local area networks (VLANS).

As with physical network adapters, a virtual network adapter can send frames that appear to be from a different machine or impersonate another machine so that it can receive network frames intended for that machine. Also, like physical network adapters, a virtual network adapter can be configured so that it receives frames targeted for other machines.

The storage configured for a host might include one or more storage area networks (SANs) that use iSCSI. When iSCSI is configured on a host, several measures can be taken to minimize security risks.

Security of the ESXi management interface is critical to protect against unauthorized intrusion and misuse. If a host is compromised in certain ways, the virtual machines it interacts with might also be compromised. To minimize the risk of an attack through the management interface, ESXi is protected with a firewall.

Securing vCenter Server includes ensuring security of the host where vCenter Server is running, following best practices for assigning privileges and roles, and verifying the integrity of the clients that connect to vCenter Server.

ESXi and vCenter Server support standard X.509 version 3 (X.509v3) certificates to encrypt session information sent over Secure Socket Layer (SSL) protocol connections between components. If SSL is enabled, data is private, protected, and cannot be modified in transit without detection.

vCenter Single Sign-On is a component of the management infrastructure that provides the capability to manage the environment with Active Directory credentials.