,

Configuration Compliance and Drift in VCF Operations: Catching Drift Before the Auditor Does (VCF 9 Operations Series, Part 10)

How VCF Operations scores configuration compliance, why a green cluster can still drift, and the honest line between what base Operations shows and what the Advanced Cyber Compliance add-on enforces.

VCF 9 Operations · Part 10 of 18

TL;DR · Key Takeaways

  • VCF Operations scores compliance by running your objects against a benchmark and returning a percent per object and per group. A host that fails 3 of 60 rules shows 95 percent, not a red or green light.
  • The built-in choices are the VCF Security Baseline plus regulatory frameworks like PCI DSS, HIPAA and NIST. CIS and CSA come as separate compliance packs you install from the Marketplace.
  • A green score and no drift are two different questions. Score answers do you match the rule set today. Drift answers has this cluster moved away from the state it was signed off in.
  • VCF Operations shows you the violations and the drift. Continuous enforcement and automatic desired-state remediation across the whole stack is the Advanced Cyber Compliance add-on in 9.1, not base Operations.
  • Exceptions are the part people skip. An unmanaged exception list turns a 100 percent target into permanent noise, so document every accepted deviation with an owner and a review date.

Compliance is the part of day-2 that most teams treat as a once-a-year fire drill, then wonder why the audit hurts. I have sat in enough of those rooms to know the pattern. Someone exports a config, an auditor finds forty settings that drifted since the last review, and nobody can say when or why they changed. VCF Operations exists to make that a continuous readout instead of an annual surprise, but only if you understand what its compliance score actually measures and where it stops.

This part is about configuration compliance and drift: how VCF Operations builds a score, which benchmark is grading you, why a green cluster can still have drifted, and the honest line between what base Operations does and what needs the Advanced Cyber Compliance add-on. I run this for real environments, so I will be blunt about the settings that bite.

How VCF Operations turns config into a score

Compliance in VCF Operations is a data-model problem before it is a security problem. Operations already collects properties on every object it manages: an ESX host advertises its NTP config, its lockdown mode, its syslog target, its shell timeout. A benchmark is just a set of rules that read those properties and decide pass or fail. Run the rules against the object, count the passes, and you get a compliance score expressed as a percent. Roll the objects up into a group and the group gets a weighted score too.

Object propertiesLockdown modeNTP sourceSyslog targetShell timeoutTLS ciphersBenchmark rulespass / fail eachScore57 / 60= 95%
Compliance is properties read by rules. Each failed rule pulls the percent down; the score is not a traffic light.

The percent hides the risk weighting

Here is where I disagree with how most dashboards present this. A 95 percent host sounds fine. But the three failing rules could be trivial (a cosmetic banner) or they could be the ones that matter (an unauthenticated syslog target, lockdown mode disabled). The score treats a banner and an open management path with the same weight unless you look at the individual findings. I tell teams to stop reporting the number to leadership and start reporting the list of failed high-severity rules. The percent is for trend, not for decisions.

The objects VCF Operations can score cover the core stack: ESX hosts and clusters, vCenter, vSAN, NSX managers and logical switches, distributed virtual switches, and the SDDC Manager itself. For any of those to be scored, the matching data source has to be connected first, which is the adapter work we covered back in Part 3. No adapter, no properties, no score.

Which benchmark is grading you?

This is the question I ask first on any new environment, because a compliance score is meaningless until you know the rule set behind it. VCF Operations ships with the VCF Security Baseline and a set of regulatory frameworks. Other well-known benchmarks, CIS and the Cloud Security Alliance pack, arrive as separate compliance packs you install from the Marketplace. They are not on by default, and I have watched teams assume they were CIS-compliant when nothing had ever loaded the CIS pack.

BenchmarkHow you get itUse it for
VCF Security BaselineBuilt in, out of the boxYour default hardening posture across the whole VCF stack
Regulatory frameworks (PCI DSS, HIPAA, NIST and similar)Built inMapping controls to an audit you already have to pass
CIS benchmark packCompliance pack from the MarketplaceTeams that standardise on CIS across all platforms
CSA packCompliance pack from the MarketplaceCloud-focused control mapping
Built-in versus add-on benchmarks. Do not report a CIS score you never installed.

One practical note on versions. The CIS pack tracks a specific benchmark release (the ESXi benchmark, for example, is pinned to a dated version), so when the CIS body publishes an update your pack does not silently follow. Check the pack version against what your auditor expects before you present a number.

Why a green cluster can still have drifted

Compliance score and drift answer different questions, and conflating them is the most common mistake I see. A benchmark score asks whether the object matches the rule set right now. Drift asks whether the object has moved away from the known-good state it was signed off in. A host can pass every benchmark rule and still have drifted, because someone changed an advanced setting the benchmark does not check. And a host can be flagged as drifted while still scoring 100 percent on the baseline.

Known-goodtemplateNightlycollectionComparelive vs templateMatchstays greenDifferdrift symptom fires
Drift detection compares live config to a known-good template on a schedule. It is a diff, not a benchmark.

Seen this go wrong

A four-host cluster passed the baseline at 100 percent for months. Then a storage vMotion started failing intermittently on one host. Drift comparison showed that host alone had an advanced NFS setting changed during a support call nobody logged. The benchmark never checked that setting, so the score stayed perfectly green while the host had quietly diverged from its three siblings. Score told us nothing; the config diff found it in a minute.

That is why I keep both signals on. Benchmark scoring is your security posture against a public standard. Drift comparison is your consistency against your own baseline, and it catches the human changes that never make it into a change ticket.

What base Operations does, and what needs the add-on

This is the line I most often have to draw for people who read a launch blog and expect automatic remediation. Base VCF Operations is strong at showing you the state: it scores objects against benchmarks, surfaces failed rules, tracks drift against templates, and trends the whole thing over time. What it does not do out of the box is continuously enforce a desired state or push fixes back across the full stack automatically. In VCF 9.1 that continuous, always-on compliance with desired-state remediation across workloads and infrastructure is the Advanced Cyber Compliance add-on, assessed and remediated against benchmarks like PCI DSS and the VCF security guidelines.

CapabilityBase VCF OperationsAdvanced Cyber Compliance (9.1)
Score objects against a benchmarkYesYes
Surface failed rules and driftYesYes
Continuous, always-on enforcementNoYes
Desired-state remediation across the stackNoYes
Fix policy drift on workloads and infrastructure togetherNoYes
Visibility is base Operations. Automatic enforcement and remediation is the ACC add-on.

Whether you buy the add-on depends on scale and appetite for automation. If you have a handful of clusters and a disciplined change process, base Operations plus a monthly review is enough. If you are running dozens of clusters under PCI or federal mandates where drift has to be corrected on a clock, manual remediation does not hold and the add-on earns its cost. Do not buy it to compensate for a broken change process; automation of a bad process just breaks faster.

The exception list is where compliance lives or dies

Every real environment has settings that will never pass a public benchmark, for a legitimate reason. A legacy app needs an older TLS cipher. A monitoring tool needs shell access the benchmark wants disabled. If you leave those as failing rules, your score sits at a permanent 94 percent and everyone learns to ignore it. Document each accepted deviation as an exception, with an owner, a reason, and a review date. An exception without a review date is just permanent debt with a nicer name.

Rule failson an objectLegitimatereason?Log an exceptionowner + review dateRemediatemanual or ACCyesno
Every failed rule goes one of two ways: a documented exception or a fix. Nothing sits in limbo.

Rolling the score up across groups and sites

In a single cluster the score is easy to read. Across a multi-site estate it is not, because a group score is an average and averages hide the one bad host. I build custom groups that match how I actually operate: one per site, one per environment tier such as prod and non-prod, and one for anything in PCI scope. Then I score each group against the benchmark that group is held to, rather than grading everything against a single baseline. A dev cluster does not need to pass PCI, and pretending it does just floods you with findings you will never act on.

Weighted averages lie about outliers

A 200-object group sitting at 99 percent can still hide ten hosts with lockdown mode off, because the average absorbs them. So I never alert on the group percent alone. I alert on the count of objects below a per-object floor: any host under 90 percent, or any host with an open high-severity finding. That turns a soft average into a hard list of names to go fix. For multi-site it also stops one noisy site from dragging a healthy site down and masking a genuine problem in the healthy one. This is the same grouping discipline that pays off for capacity and cost earlier in this series, and it is what makes a multi-cluster estate manageable instead of a wall of red.

A worked example: scoring a four-host cluster

Say you have a production cluster of four ESX hosts and you run the VCF Security Baseline against it. The baseline has, for argument, 60 host-level rules. Three hosts pass all 60. One host fails 3 rules: an outdated TLS cipher (legitimate, a legacy app needs it), lockdown mode disabled (not legitimate, someone turned it off to troubleshoot and forgot), and an NTP source pointing at the wrong server (a real drift).

Per host that is 57 of 60, so 95 percent. The cluster group score averages to roughly 98.75 percent, which looks great and hides the fact that one host has lockdown off. Work the three findings: the TLS cipher becomes a logged exception with a review date, so it stops dragging the score. Lockdown mode gets re-enabled, a real fix. The NTP source gets corrected back to the baseline. After remediation the host returns to 60 of 60 minus one documented exception, and the cluster reads a clean posture with one tracked deviation instead of a vague 98.75.

Before57 / 60 = 95%fails: TLS cipher, lockdown off, NTP driftAfter60 / 60, 1 logged exceptionscore hides the real risklockdown fixed, NTP fixed
Same host, before and after. The point is not the percent moving; it is that lockdown and NTP got fixed and the cipher is now tracked, not ignored.

What I’d do

Report the count of open high-severity findings and the count of exceptions past their review date. Those two numbers tell the real story. The headline percent goes in the appendix.

Signs it’s healthy

A healthy compliance setup looks like this: every managed cluster is scored against a named benchmark you actually chose, the exception list is short and every entry has an owner and a future review date, drift alerts fire within a day of a change and get triaged rather than muted, and the trend line is flat or climbing rather than sawtoothing every time someone touches a host. If your score bounces around and nobody can explain the dips, you have drift you are not catching, not a scoring problem.

Common questions

Does a 100 percent score mean I am secure?
No. It means you match the rules in whichever benchmark you loaded. A benchmark is a floor, not a full threat model, and it does not check settings outside its scope. Pair the score with drift comparison and your own known-good template.

Why did my score change when I did not touch anything?
Two usual causes. Either a host actually drifted through an unlogged change, or you updated a compliance pack and the new rule set grades differently. Check the pack version history before you assume someone changed a host.

Do I need CIS if I already run the VCF Security Baseline?
Only if an auditor or internal standard specifically asks for CIS. The baseline covers the VCF stack well. Running two overlapping benchmarks doubles the findings you have to reconcile, so add CIS because you must report it, not for extra comfort.

Can base Operations fix a violation for me?
Base Operations shows and tracks; it does not enforce or auto-remediate across the stack. Continuous enforcement and desired-state remediation is the Advanced Cyber Compliance add-on in 9.1. Without it, remediation is your runbook and your hands.

How often does drift get checked?
On the collection schedule for that object, typically daily. That is fast enough to catch an unlogged change the next morning, but it is not real-time. If you need instant enforcement, that is again add-on territory.

VCF 9 Operations · Part 10 of 18
« Previous: Part 9  |  VCF 9 Operations Complete Guide  |  Next: Part 11 »

References

About The Author


Discover more from Journal of Intelligent Infrastructure – By Dr Pranay Jha

Subscribe to get the latest posts sent to your email.

Leave a Reply

Your email address will not be published. Required fields are marked *

Architect’s Toolkit

About the Author

Dr. Pranay Jha is a Cloud and AI Consultant with 18+ years of experience in hybrid cloud, virtualization, and enterprise infrastructure transformation. He specializes in VMware technologies, multi-cloud strategy, and Generative AI solutions. He holds a PhD in Computer Applications with research focused on Cloud and AI, has published multiple research papers, and has been a VMware vExpert since 2016 and a VMUG Community Leader.

Discover more from Journal of Intelligent Infrastructure - By Dr Pranay Jha

Subscribe now to keep reading and get access to the full archive.

Continue reading