aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Software Engineering

How VMware Tanzu SaaS Products Handle Data Privacy And Security

  • aster.cloud
  • August 19, 2021
  • 5 minute read

Companies are adopting software as a service (SaaS) at a rapid pace. There are many factors contributing to this trend, including:

  • Operational efficiency – There are significant time and cost benefits to using vendor-managed, cloud-hosted software versus installing and maintaining commercial, off-the-shelf software in your own data centers.

  • Security – In a SaaS model, the vendor is responsible for updating the software to resolve security vulnerabilities, removing that burden from your teams.

  • Reliability – A vendor is bound by a service-level agreement (SLA) that provides an expected level of availability for the service. You can focus more on your business and less on maintaining high availability for vendor software on premises.

Many large enterprises, particularly in banking and financial services, have been hesitant to adopt SaaS because it challenges existing risk management models already in place for software.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

The stakes are raised when we’re talking about software that governs security policies and access controls, manages encryption keys and certificates, and provides administrative controls to authorized users. Security-conscious firms (which is basically everyone these days) don’t want to put the security controls themselves at risk.

Two of the SaaS products in the VMware Tanzu portfolio are in the critical path for securing systems at the heart of your IT infrastructure. VMware Tanzu Mission Control provides a centralized control plane for Kubernetes, and Tanzu Service Mesh provides a global control plane for service mesh networks.

In this post, we’ll cover the data security and data privacy elements of each product. We’ll examine how each product communicates between your infrastructure and the VMware Cloud, how it’s secured, and what types of data cross those wires. We’ll also look at the identity and access controls used by both SaaS products, including how Tanzu Mission Control provides end users secure access to the clusters it manages.

Data security, end-to-end

When data is leaving an enterprise’s corporate firewalls, security teams put those flows under a microscope. How are connections established, and are they encrypted? What information is being sent to the third party? Does it include any customer data, personally identifiable information, or other sensitive information?

Read More  GitLab Inc.’s Partner Ecosystem Expands To Meet Increasing Demand For DevOps Solutions

Let’s take a high-level look at how each Tanzu SaaS communicates.

Reporting in on a secure channel, Mission Control

First, let’s take a look at the communication between Kubernetes clusters and Tanzu Mission Control.

Kubernetes clusters communicate to Tanzu Mission Control via an agent installed on the cluster. The agent syncs with Tanzu Mission Control to receive configurations and policies from the centralized control plane. It communicates outbound, so all the protections of traditional corporate firewalls and proxies apply.

 

All communication is encrypted with TLS. In addition to being encrypted in transit, all data is encrypted at rest within the SaaS.

For more detailed information on the security practices within Tanzu Mission Control, check out this whitepaper.

Tanzu Service Mesh, reporting in

Tanzu Service Mesh also needs to phone home to its global control plane and does so using the same principles: outbound-only connections and encrypted communication.

When a Kubernetes cluster is onboarded to Tanzu Service Mesh, a local controller is deployed. That local controller is responsible for, among other things, registering with the SaaS, syncing configuration information, and providing periodic telemetry data on the health and utilization of the service mesh.

It ends up looking something like this:

 

Note the two types of traffic in this example: network traffic between your environment and Tanzu Service Mesh SaaS, and the network traffic of applications using the service mesh.

It’s important to note that when applications communicate across the service mesh, that network traffic never leaves your company’s networks. The actual application data—the payloads of information delivered between microservices on the mesh—is never collected by the SaaS. Even if that network traffic were intercepted and inspected by a bad actor within your corporate network, that traffic is encrypted with mutual TLS certificates that are managed and rotated locally.

Read More  What’s The Difference Between a Junior, Mid-Level, and Senior Developer?

We’ll examine what information is currently collected by the SaaS in the next section.

Inspecting the payload

So we’ve established that communication channels are secure, but what data is actually transmitted to the VMware Cloud?

Let’s start with what is not collected or stored:

  • Your workload’s data

  • Sensitive Kubernetes objects, such as secrets

  • Tanzu Mission Control Data Protection backups

Tanzu Mission Control and Tanzu Service Mesh operate on the principle of only collecting the data necessary to carry out their functions as a global control plane. That data includes: cluster names, host names, service and deployment inventories, names of pods and namespaces, labels, and other metadata about the environment. Additionally, performance metrics are collected to provide insight into traffic patterns and the health of Kubernetes clusters and service meshes. These include metrics on throughput, latency, and error rates as well as CPU, memory, and network utilization.

Identity and access control

Just as important as how these services are secured is the question of who has access.

Access to Tanzu Mission Control and Tanzu Service Mesh is controlled by the VMware Cloud Services platform. VMware Cloud Services is independent of Tanzu and provides identity and access control to VMware Cloud products.

VMware Cloud Services can be federated with your corporate domain, allowing you to use your organization’s single sign-on and identity source to sign in. You can also set up multifactor authentication for an increased level of security.

Access to Kubernetes clusters is granted through the use of standard OAuth tokens. The access control policies you set through VMware Cloud Services and Tanzu Mission Control translate into Kubernetes role-based access control policies on the cluster.

Tanzu Mission Control installs Pinniped on all managed Kubernetes clusters. Pinniped is an OpenID Connect–based authentication system for Kubernetes. Pinniped integrates with VMware Cloud Services and enterprise identity providers to ensure a consistent, secure authorization flow for all clusters regardless of the infrastructure they are deployed on. To learn more about Pinniped, check out the project here.

Read More  How CBcloud Is Improving The Working Conditions Of Japanese Delivery People With Google Maps Platform

 

Tanzu Mission Control also provides audit logs so organization administrators can monitor activities that are initiated through Tanzu Mission Control. This allows you to track what was done, who performed the action, when the action occurred, and where the action occurred.

Compliance

Tanzu Mission Control and Tanzu Service Mesh comply with the highest-class industry security and operational standards, including: SOC 2 Type 2, SOC 2 Type 1, ISO/IEC 27001, and CSA Star. These certifications attest that controls are in place to securely manage and protect customer data.

Visit the VMware Cloud Trust Center Compliance page for more information, including how to get access to these reports.

SaaS is here to stay

The specifics of how these types of products manage security and privacy will continue to evolve to meet changing enterprise needs and external challenges. However, one thing is clear. With such robust security and compliance measures built into Tanzu SaaS products, even the most highly regulated banks and financial institutions are now taking advantage of SaaS to build, run, and manage the modern applications platform that powers their businesses.

Interested in learning more or trying out these tools for your organization? Explore what’s available with our Hands-on Labs, and register for SpringOne and VMworld to learn more about how the Spring and Tanzu ecosystems are improving the developer experience and enabling meaningful digital transformations at enterprises around the world.

About the Author

Brian is a Staff Solutions Engineer in VMware’s Modern Applications Platform Business Unit. Before joining Pivotal and VMware, he spent 15 years in enterprise IT architecture and engineering, building, running, and securing containerized application platforms at scale and revolutionizing developer experience with open source software.

 

By BRIAN KIRKLAND
Source VMware Tanzu


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Kubernetes
  • SaaS
  • Tanzu Service Mesh
  • VMware
You May Also Like
View Post
  • Software Engineering
  • Technology

Claude 3.7 Sonnet and Claude Code

  • February 25, 2025
View Post
  • Engineering
  • Software Engineering

This Month in Julia World

  • January 17, 2025
View Post
  • Engineering
  • Software Engineering

Google Summer of Code 2025 is here!

  • January 17, 2025
View Post
  • Software Engineering

5 Books Every Beginner Programmer Should Read

  • July 25, 2024
Ruby
View Post
  • Software Engineering

How To Get Started With A Ruby On Rails Project – A Developer’s Guide

  • January 27, 2024
View Post
  • Engineering
  • Software Engineering

5 Ways Platform Engineers Can Help Developers Create Winning APIs

  • January 25, 2024
Clouds
View Post
  • Cloud-Native
  • Platforms
  • Software Engineering

Microsoft Releases Azure Migrate Assessment Tool For .NET Application

  • January 14, 2024
View Post
  • Software Engineering
  • Technology

It’s Time For Developers And Enterprises To Build With Gemini Pro

  • December 21, 2023

Stay Connected!
LATEST
  • 1
    Just make it scale: An Aurora DSQL story
    • May 29, 2025
  • 2
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • Examine the 4 types of edge computing, with examples
    • May 28, 2025
  • AI and private cloud: 2 lessons from Dell Tech World 2025
    • May 28, 2025
  • 5
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • Weigh these 6 enterprise advantages of storage as a service
    • May 28, 2025
  • 7
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 8
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 9
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
  • Gemma 3n 10
    Announcing Gemma 3n preview: powerful, efficient, mobile-first AI
    • May 22, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Understand how Windows Server 2025 PAYG licensing works
    • May 20, 2025
  • By the numbers: How upskilling fills the IT skills gap
    • May 21, 2025
  • 3
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • 4
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • 5
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.