Skip to main content

Hypervisor & Physical Systems

This category provides a compact, practical framework for securing and standardizing hypervisors and physical systems across all PCP sites. It is designed to accelerate implementation, ensure compliance readiness, and reduce operational and security risks.

Aligned with the Distinct Compute Reference Design (DRD) and the principles of ISO/IEC 27001, the guide delivers a structured approach to virtualization security and governance. It focuses on creating a consistent PCP global baseline while allowing flexibility for local requirements.

Key objectives include:

  • Standardization: Harmonize hypervisor configurations and operational practices across VMware ESXi, Microsoft Hyper-V, Nutanix AHV, and KVM environments.
  • Security Hardening: Apply best practices for authentication, certificate management, logging, and monitoring to protect against vulnerabilities.
  • Network Segregation & Redundancy: Implement robust workload isolation and high-availability designs to minimize risk and ensure resilience.
  • Visibility & Control: Establish complete asset transparency and centralized governance to eliminate shadow IT and enforce compliance.

By following this guide, PCP teams can execute quicklydemonstrate ISO/IEC 27001 readiness, and significantly reduce risk exposure—without waiting for lengthy certification processes.


Purpose & Scope

  • To create a unified, secure virtualization environment that supports global consistency, minimizes vulnerabilities, and enables compliance with ISO/IEC 27001 without delaying operations for certification audits.

Platforms Covered: VMware ESXi, Microsoft Hyper-V, Nutanix AHV, and KVM where applicable.
Focus Areas:

  • Asset registration and visibility
  • Secure management interfaces and networks
  • Encryption and protocol hardening
  • Certificate management
  • Centralized logging and monitoring
  • Directory-based authentication and MFA
  • Redundancy aligned with site classification
  • Hypervisor-specific hardening baselines

Summary & Outcome

no.ControlFocusOutcome
04.01Asset VisibilityRegister assets in Matrix42, ADAM & CMDBComplete inventory
04.02Dedicated Management InterfaceSeparate Management VLANSecure admin access
04.03Management Network PlacementIntegrate with AD / VPNControlled access
04.04Disable Insecure ProtocolsBlock HTTP/Telnet/FTPEncrypted traffic
04.05Valid ABB CertificatesABB PKI certsTrusted connections
04.06Central Log ForwardingSend logs to SplunkAudit-ready
04.07Directory AuthenticationAD / Entra IDNo shared accounts
04.08Local Account Policy & MFAEnforce ABB policyStrong auth
04.09Redundancy & Site ClassDesign per classificationHigh availability
04.10Hypervisor HardeningABB baselineReduced attack surface
04.11Monitoring & HealthMetrics & alertsProactive ops
04.12vCenter HardeningABB baselineSecure environment
04.13ESXi HardeningABB baselineSecure environment
04.14Hyper-V HardeningABB baselineSecure environment
04.15Nutanix AHV HardeningABB baselineSecure environment
04.16KVM HardeningABB baselineSecure environment

Control Checklist

Control NumberCategoryQuestionDescriptionLink to How to Guide
04.01HypervisorAll Hypervisors are recorded in ServiceNowRegister each host (and vCenter) in ServiceNow CMDB and ADAM with correct CI type, owner, location, IPs, and tags. Attach evidence (CMDB link/export).bulk single
04.02HypervisorAll Hypervisors have a dedicated management interfaceEnsure a separate management NIC/vSwitch per host; manage via vCenter/SCVMM; document VLAN/ACLs.
04.03HypervisorAll Hypervisors have the management interface in the management networkPlace mgmt interfaces in the management VLAN; restrict access via Jump Host/VPN; integrate with AD/Entra ID.
04.04HypervisorAll Hypervisors have insecure protocols disabled (HTTP, Telnet, etc.)Disable/block HTTP, Telnet, FTP and other plaintext services; enforce HTTPS/SSH; apply host firewall rules.
04.05HypervisorAll Hypervisors have installed only valid ABB certificatesUse ABB PKI certificates on hosts and vCenter; remove self-signed certs; track renewal before expiry.
04.06HypervisorAll Hypervisors have log forwarding enabledForward host and vCenter logs to Splunk with time sync; document exceptions for air-gapped sites.
04.07HypervisorAll Hypervisors have authentication configured via ABB AD or Entra IDEnable directory authentication and RBAC; no shared accounts; prefer MFA where supported.
04.08HypervisorAll network devices having local accounts are configured per ABB account policy – Password ExpirationWhere local accounts exist, enforce complexity and rotation/expiration; prefer domain auth; enable MFA where available.
04.09HypervisorAll Hypervisors are configured in a redundant wayEngineer HA/cluster, dual PSUs/NICs, redundant storage and networking per site class; obtain PAIS approval for critical sites.
04.10HypervisorAll Hypervisors are configured in line with the ABB hardening policy (where available)Apply ABB hardening baseline; disable unused services, secure shell, NTP/syslog configured, secure boot, audit settings.
04.11HypervisorAll Hypervisors are monitored with a tool providing: device status; utilization (CPU/RAM/Network/Disk) and relative performance indicators; device errors; notifications via mail or ticket; historical data ≥6 monthsImplement monitoring and alerting; retain metrics ≥ 6 months; route alerts to mailbox or ticketing; review regularly.
04.12VMwareThe VMware vCenter is configured in line with the infosec standards (hardening policy)Apply vCenter baseline (e.g., 9AAD132452 v3.3): SSO, MFA, RBAC, logging to Splunk, PKI certs, secure services.
04.13VMwareThe VMware ESXi are configured in line with the infosec standards (hardening policy)Apply ESXi baseline (e.g., 9AAD132074 v3.3): Lockdown Mode, SSH policy, firewall, NTP, syslog, secure boot.
04.14Hyper-VHardening not yet releasedTrack ABB baseline; meanwhile apply Microsoft STIG/CIS controls; document gaps/exceptions.
04.15NutanixHardening not yet releasedTrack ABB baseline; meanwhile apply Nutanix Security/CIS guidance; document gaps/exceptions.
04.16KVMHardening not yet releasedTrack ABB baseline; meanwhile apply CIS benchmarks for host OS and KVM; document gaps/exceptions.

Quick Checklist

  • Asset in ADAM and CMDB
  • Dedicated management interface
  • Mgmt interface on management network
  • Insecure protocols disabled
  • ABB certificate installed
  • Splunk log forwarding configured (or exception recorded)
  • AD / Entra ID auth (no shared accounts)
  • Local account policy + MFA (where supported)
  • Redundancy per site classification (PAIS approval if needed)
  • Hardening applied
  • Monitoring active; metrics retained ≥ 6 months
  • vCenter baseline applied
  • ESXi baseline applied
  • Track Hyper-V / Nutanix / KVM baselines and adopt on release

Mission Critical

References

  • Distinct Compute: Reference Design
  • VMware Architecture Blueprint & Guideline for SDC (P3 Hardening)
  • Site Business Impact Assessment
  • Information Classification & Handling Standard
  • Distinct IT Asset Management
  • Identity & Access Control Standard
  • ABB baselines repository (vCenter, ESXi)
  • Splunk onboarding guides