The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy. The accompanying questionnaire, CAIQ, provides a set of “yes or no” questions based on the security controls in the CCM.
Will focus on VMware Horizon Desktop-as-a-Service (DaaS) offering that is specifically designed for VMware Service Provider Partners (VSPP).
Horizon DaaS allows Service Providers to:
Provide a single management console for provisioning and delivering virtual desktops and applications from the service provider service center
Host multi-tenants, providing dedicated compute resources across dedicated or shared VMware vSphere clusters
Allows tenants to bring in their own network services (Active Directory, DNS, DHCP, File Servers, etc.) to provide the same level of security and control as if the workloads were running on-premises
High Level DaaS Architecture
Components of VMware Horizon DaaS
Horizon Version Manager appliance – HVM Provides orchestration and automation for Horizon DaaS components. The HVM holds the appliance template, and runtime scripts, which allow for the automatic creation of the Service Provider appliances and the Resource Manager appliances. This is a Linux virtual appliance that is deployed from an OVA file in vCenter Server.
Horizon Air Link appliance – Once the HVM appliance is deployed and the template and scripts copied to the machine, the next stage to deploy the HAL appliance from the HVM admin portal. The HAL is responsible for sending API operations to the vCenter Server to create the appliances.
Service Provider appliances – This is deployed as a pair for high availability. The SP provides the Service Provider administrators access to a web-based portal (Service Center) where they can manage the Horizon DaaS environment. This is the main console from where tenants are deployed, which resource cluster they use, as well as creating desktop collections, which are essentially capacity models for virtual desktops.
Resource Manager appliances – Like the SPs, this is deployed by the HAL in a pair. The role of the RM is to provide access and show the hardware resources available from the vCenter Server(s) that is configured for Horizon DaaS. The RM allows the Service Provider administrators to configure the compute resources for the tenants by allocating resources.
Tenant appliances – The tenant appliances (pair) TA are created from the Service Center portal. You configure the settings for the tenant, such as quotas for user licensing and desktop capacity. Per tenant, a pair is being created.
Unified Access Gateway – This is a hardened Linux appliance that is deployed within the DMZ network to provide secure incoming traffic from external environments. External Horizon Clients make a connection to the UAG and do not see the backend environment, it is the UAG that communicates with the backend Horizon environment. The UAG supports multi-factor authentication to provide further security when accessing virtual desktops and applications from the Internet. The new UAGs will have the capability of SSL offloading as seen on ADC Application Delivery Controllers.
Below is the list of official documentation provided by the Vendor.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
1 year 24 days
Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
5 months 27 days
This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.